CVE-2026-10694
File Inclusion in Online Food Ordering System 2.0
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | online_food_ordering_system | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10694 is a Local File Inclusion (LFI) vulnerability in the Online Food Ordering System version 2.0. It occurs in the /index.php and /admin/index.php files where the 'page' parameter is used directly in PHP's include statement without proper sanitization or path restrictions.
This flaw allows an attacker to manipulate the 'page' argument to include arbitrary PHP files or read sensitive files on the server, such as database configuration files, by using PHP stream wrappers like php://filter.
The vulnerability can be exploited remotely without authentication, making it a significant security risk.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information, such as database credentials, by allowing attackers to read protected files on the server.
It can also enable further attacks by exposing source code or configuration details, potentially compromising the confidentiality and integrity of the system.
Since the exploit requires no authentication and can be launched remotely, it poses a high risk to affected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'page' parameter in the /index.php or /admin/index.php files for Local File Inclusion (LFI) behavior. You can attempt to manipulate the 'page' parameter to include arbitrary files or read sensitive files using PHP stream wrappers.
- Use curl or wget to send requests with the 'page' parameter set to known sensitive files, for example: curl "http://target/index.php?page=php://filter/convert.base64-encode/resource=db_connect.php"
- Check server responses for inclusion of file contents or base64 encoded data indicating successful file inclusion.
- Monitor web server logs for unusual requests manipulating the 'page' parameter.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing a whitelist of allowed pages for the 'page' parameter to prevent arbitrary file inclusion.
Disable PHP wrappers such as php://filter in the production environment to prevent exploitation via stream wrappers.
Use PHP functions like basename() to strip path components from the 'page' parameter, restricting file inclusion to intended files only.
Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to include arbitrary files and read sensitive files such as database configuration files, potentially exposing confidential data like database credentials.
This exposure of sensitive information can lead to unauthorized access and data breaches, which may violate data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive data.
Therefore, exploitation of this vulnerability could compromise compliance with these standards by failing to ensure confidentiality and integrity of protected data.