CVE-2026-10559
Deferred Deferred - Pending Action
File Inclusion Vulnerability in SourceCodester Pizzafy Ecommerce System

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10559
EUVD
EUVD-2026-33859
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester pizzafy_ecommerce_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-10559 vulnerability is a Local File Inclusion (LFI) issue in the Pizzafy Ecommerce System 1.0. It occurs due to improper input validation in the 'page' parameter of the index.php file. An attacker can exploit this by injecting a null byte (%00) to bypass file extension restrictions, allowing arbitrary files on the server to be included.

This means an attacker can access sensitive files such as server logs (e.g., access.log) and potentially execute remote code by injecting malicious PHP code into these logs (log poisoning). The vulnerability was demonstrated in a Windows XAMPP environment.

Compliance Impact

The vulnerability allows Local File Inclusion (LFI) via improper input validation, potentially leading to information disclosure or remote code execution. This can expose sensitive data stored on the server.

Exposure of sensitive data or unauthorized access due to this flaw could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information.

Therefore, exploitation of this vulnerability may result in violations of confidentiality and integrity requirements mandated by these standards.

Impact Analysis

Exploitation of this vulnerability can lead to information disclosure by allowing attackers to read sensitive files on the server.

More severely, it can enable Remote Code Execution (RCE) if an attacker manages to inject malicious PHP code into accessible files like logs, which the system then includes and executes.

This can compromise the entire server, leading to unauthorized access, data theft, or further attacks.

Detection Guidance

This vulnerability can be detected by testing the `page` parameter in the `index.php` file for Local File Inclusion (LFI) via Null Byte Injection. An attacker or tester can attempt to include files by injecting a null byte (%00) to bypass file extension restrictions.

  • Use curl or wget to send requests with payloads targeting the `page` parameter, for example: `http://target/index.php?page=../../apache/logs/access.log%00`
  • Check server responses for inclusion of unintended files such as server logs or configuration files.
  • Example command using curl: `curl -i "http://target/index.php?page=../../apache/logs/access.log%00"`
  • Look for evidence of file inclusion or error messages indicating path traversal or file inclusion.
Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and sanitization on the `page` parameter to prevent injection of null bytes or traversal sequences.

Normalize and validate file paths before including files to ensure only allowed files are included.

Avoid using direct user input in file inclusion functions.

Update PHP to a modern version (5.3.4 or later) that properly handles null byte injections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart