CVE-2026-15540
Received Received - Intake

Improper File Inclusion in Online Book Store System

Vulnerability report for CVE-2026-15540, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability was detected in SourceCodester Online Book Store System 1.0. The affected element is an unknown function of the file /admin/index.php of the component Administrative Interface. Performing a manipulation of the argument page results in improper control of filename for include/require statement in php program. It is possible to initiate the attack remotely. The exploit is now public and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_book_store_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the SourceCodester Online Book Store System 1.0, specifically in an unknown function within the /admin/index.php file of the Administrative Interface component.

The issue arises from improper control of the filename used in an include or require statement in the PHP program when manipulating the 'page' argument.

This flaw allows an attacker to remotely exploit the system by manipulating the 'page' parameter, potentially including unintended files.

Impact Analysis

Exploiting this vulnerability could allow an attacker to include arbitrary files on the server, which may lead to information disclosure or other unintended behaviors.

Since the vulnerability can be triggered remotely without user interaction, it increases the risk of unauthorized access or manipulation of the system.

However, the CVSS scores indicate a relatively low to moderate severity, suggesting limited impact such as partial confidentiality loss but no integrity or availability impact.

Compliance Impact

This vulnerability allows an authenticated attacker to read arbitrary local files, including sensitive server-side source code and configuration details. Such unauthorized disclosure of sensitive information can lead to exposure of personal data or protected health information if present, potentially violating data protection regulations like GDPR and HIPAA.

The improper control of file inclusion may facilitate further exploitation, increasing the risk of data breaches and non-compliance with security requirements mandated by these standards.

Remediation steps such as strict input validation, restricting accessible files, and centralized access control are critical to maintain compliance and protect sensitive data.

Detection Guidance

This vulnerability can be detected by testing the 'page' parameter in the administrative interface for Local File Inclusion (LFI) behavior. An authenticated attacker can attempt to exploit the vulnerability by using the PHP stream wrapper to read arbitrary PHP source files.

A common detection method is to send a request to the vulnerable endpoint with a payload like: php://filter/convert.base64-encode/resource=admin_class.php

For example, using curl to test the vulnerability:

  • curl -i -s -k -X $'GET' \ 'http://target/admin/index.php?page=php://filter/convert.base64-encode/resource=admin_class.php'

If the response contains Base64 encoded content of the PHP source file, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include implementing strict allow-list validation for file inclusion operations to ensure only predefined pages can be included.

Avoid using user-controlled input directly in include or require statements in PHP code.

Disable unnecessary PHP stream wrappers such as 'php://filter' if they are not required by the application.

Implement centralized access control checks for administrative functionality to restrict unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15540. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart