CVE-2026-10694
Deferred Deferred - Pending Action
File Inclusion in Online Food Ordering System 2.0

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: VulDB

Description
A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-10694
EUVD
EUVD-2026-34059
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_food_ordering_system 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10694 is a Local File Inclusion (LFI) vulnerability in the Online Food Ordering System version 2.0. It occurs in the /index.php and /admin/index.php files where the 'page' parameter is used directly in PHP's include statement without proper sanitization or path restrictions.

This flaw allows an attacker to manipulate the 'page' argument to include arbitrary PHP files or read sensitive files on the server, such as database configuration files, by using PHP stream wrappers like php://filter.

The vulnerability can be exploited remotely without authentication, making it a significant security risk.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information, such as database credentials, by allowing attackers to read protected files on the server.

It can also enable further attacks by exposing source code or configuration details, potentially compromising the confidentiality and integrity of the system.

Since the exploit requires no authentication and can be launched remotely, it poses a high risk to affected systems.

Detection Guidance

This vulnerability can be detected by testing the 'page' parameter in the /index.php or /admin/index.php files for Local File Inclusion (LFI) behavior. You can attempt to manipulate the 'page' parameter to include arbitrary files or read sensitive files using PHP stream wrappers.

  • Use curl or wget to send requests with the 'page' parameter set to known sensitive files, for example: curl "http://target/index.php?page=php://filter/convert.base64-encode/resource=db_connect.php"
  • Check server responses for inclusion of file contents or base64 encoded data indicating successful file inclusion.
  • Monitor web server logs for unusual requests manipulating the 'page' parameter.
Mitigation Strategies

Immediate mitigation steps include implementing a whitelist of allowed pages for the 'page' parameter to prevent arbitrary file inclusion.

Disable PHP wrappers such as php://filter in the production environment to prevent exploitation via stream wrappers.

Use PHP functions like basename() to strip path components from the 'page' parameter, restricting file inclusion to intended files only.

Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.

Compliance Impact

The vulnerability allows attackers to include arbitrary files and read sensitive files such as database configuration files, potentially exposing confidential data like database credentials.

This exposure of sensitive information can lead to unauthorized access and data breaches, which may violate data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive data.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by failing to ensure confidentiality and integrity of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10694. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart