CVE-2026-10559
File Inclusion Vulnerability in SourceCodester Pizzafy Ecommerce System
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pizzafy_ecommerce_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-10559 vulnerability is a Local File Inclusion (LFI) issue in the Pizzafy Ecommerce System 1.0. It occurs due to improper input validation in the 'page' parameter of the index.php file. An attacker can exploit this by injecting a null byte (%00) to bypass file extension restrictions, allowing arbitrary files on the server to be included.
This means an attacker can access sensitive files such as server logs (e.g., access.log) and potentially execute remote code by injecting malicious PHP code into these logs (log poisoning). The vulnerability was demonstrated in a Windows XAMPP environment.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to information disclosure by allowing attackers to read sensitive files on the server.
More severely, it can enable Remote Code Execution (RCE) if an attacker manages to inject malicious PHP code into accessible files like logs, which the system then includes and executes.
This can compromise the entire server, leading to unauthorized access, data theft, or further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `page` parameter in the `index.php` file for Local File Inclusion (LFI) via Null Byte Injection. An attacker or tester can attempt to include files by injecting a null byte (%00) to bypass file extension restrictions.
- Use curl or wget to send requests with payloads targeting the `page` parameter, for example: `http://target/index.php?page=../../apache/logs/access.log%00`
- Check server responses for inclusion of unintended files such as server logs or configuration files.
- Example command using curl: `curl -i "http://target/index.php?page=../../apache/logs/access.log%00"`
- Look for evidence of file inclusion or error messages indicating path traversal or file inclusion.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and sanitization on the `page` parameter to prevent injection of null bytes or traversal sequences.
Normalize and validate file paths before including files to ensure only allowed files are included.
Avoid using direct user input in file inclusion functions.
Update PHP to a modern version (5.3.4 or later) that properly handles null byte injections.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows Local File Inclusion (LFI) via improper input validation, potentially leading to information disclosure or remote code execution. This can expose sensitive data stored on the server.
Exposure of sensitive data or unauthorized access due to this flaw could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information.
Therefore, exploitation of this vulnerability may result in violations of confidentiality and integrity requirements mandated by these standards.