CVE-2026-10558: SourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
SourceCodester Pizzafy Ecommerce System version 1.0 contains a file inclusion vulnerability in its administrative interface. An attacker with valid login credentials can manipulate the 'page' parameter in /admin/index.php to include and execute arbitrary files on the server. This allows an authenticated attacker to read sensitive files, modify system behavior, or potentially execute code. The vulnerability is publicly known and proof-of-concept code is available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-73
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in file inclusion. The attack is possible to be carried out remotely. The exploit is now public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10558 is a path traversal/file inclusion flaw affecting SourceCodester Pizzafy Ecommerce System 1.0. The vulnerability exists in /admin/index.php where the 'page' parameter is processed by an unknown function without proper validation or sanitization. By crafting malicious input to this parameter, an authenticated attacker can trigger inclusion of files outside the intended directory, leading to local file inclusion (LFI) or remote file inclusion (RFI) depending on server configuration. The CVSS 3.1 score of 6.3 reflects that exploitation requires prior authentication but carries moderate impact across confidentiality, integrity, and availability.
Business impact
Compromise of the administrative panel can lead to unauthorized access to customer data, order information, and payment details stored within the ecommerce system. An attacker could also manipulate product listings, pricing, or redirect transactions. Given that this is an ecommerce platform, a successful attack puts customer privacy and transaction security at direct risk, potentially triggering compliance violations (PCI-DSS, GDPR) and reputational damage. The public availability of exploitation techniques accelerates the window of opportunity for malicious actors.
Affected systems
SourceCodester Pizzafy Ecommerce System version 1.0 is directly affected. Organizations running this specific version in production environments are at risk. Check your deployment records and instance inventories for this product. Earlier or later versions have not been confirmed as vulnerable based on available information; verify vendor communications for patch availability and scope.
Exploitability
The vulnerability requires an attacker to possess valid administrative credentials or to have compromised a legitimate admin account beforehand. However, once authenticated, exploitation is straightforward—no user interaction is required and the attack can be launched over the network. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) confirms low attack complexity. Public exploit availability means sophistication barriers are minimal. Organizations should treat this as a high-priority issue if exposed to untrusted networks.
Remediation
Immediately check whether your organization is running SourceCodester Pizzafy Ecommerce System 1.0. If so, contact the vendor for available patches or security updates. In parallel, isolate or restrict network access to administrative interfaces using firewall rules or VPN requirements. Implement strict input validation and parameterized file inclusion mechanisms if you maintain or customize this codebase. Monitor admin panel access logs for suspicious 'page' parameter values. As a temporary mitigation, enforce strong password policies and multi-factor authentication on all admin accounts.
Patch guidance
Contact SourceCodester or check their official security advisories for patched versions beyond 1.0. Verify patch availability and test in a staging environment before production deployment. The vulnerability was identified and published on June 2, 2026, with a modification date of June 17, 2026—ensure you consult the most current vendor documentation. If no patch is available, evaluate the feasibility of upgrading to a different or more secure ecommerce platform.
Detection guidance
Monitor access logs for /admin/index.php, particularly for unusual or repeated values in the 'page' parameter. Look for path traversal indicators such as '../', '..\', encoded variants ('%2e%2e%2f'), or suspicious file paths. Web application firewalls should be configured to detect and block file inclusion patterns. Enable logging of all administrative actions and review for any unexpected file access or system behavior changes. Examine web server error logs for signs of failed file inclusion attempts or unintended file access.
Why prioritize this
Although the CVSS score is 6.3 (Medium), the practical risk is elevated by several factors: public exploit availability dramatically lowers the barrier to exploitation; ecommerce systems typically store sensitive customer and financial data; and the administrative nature of the vulnerable interface means compromise has outsized impact. Organizations running this version should treat it as a high-priority item for remediation, especially if internet-exposed or accessible to potentially compromised user accounts.
Risk score, explained
The CVSS 3.1 score of 6.3 reflects a Medium severity rating based on the requirement for authentication (PR:L), network accessibility (AV:N), and the partial impact on confidentiality, integrity, and availability. However, this score does not account for public exploit availability or the sensitivity of ecommerce administrative functions. In context, the practical risk to an organization may warrant a higher remediation priority than the numerical score alone suggests.
Frequently asked questions
Do I need valid admin credentials to exploit this vulnerability?
Yes, the vulnerability requires an authenticated session or valid administrative credentials. However, if an admin account is compromised through phishing, password reuse, or other means, the attacker gains a direct path to this vulnerability. Enforce strong password policies and multi-factor authentication to minimize this risk.
What versions of SourceCodester Pizzafy are affected?
Version 1.0 is confirmed vulnerable. Check vendor advisories to determine if other versions are affected or if patches are available. Do not assume that merely updating to a newer version resolves the issue without explicit confirmation from SourceCodester.
Can this vulnerability be exploited without internet access?
The vulnerability can be exploited over a network from any location, making it remotely exploitable. However, the attacker must first obtain administrative credentials, which typically limits the attack surface to internal threats or accounts compromised through social engineering or credential stuffing.
What is the difference between this and a standard directory traversal?
This is a file inclusion vulnerability (CWE-73) that allows an attacker to include arbitrary files from the server's filesystem. Depending on what files are accessible and how the included content is processed, this can range from information disclosure to remote code execution. It is more severe than simple directory traversal because the included files may be executed as code rather than merely exposed.
This analysis is provided for informational purposes to support security decision-making. The vulnerability details are based on publicly available information as of the modification date (June 17, 2026). Organizations should verify compatibility and patch availability directly with SourceCodester before deploying any updates. No proof-of-concept code or weaponized exploitation techniques are provided herein. Security teams should conduct their own risk assessment based on their specific environment, threat landscape, and organizational criticality. This vulnerability intelligence does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10559MEDIUMFile Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
- CVE-2026-20175MEDIUMCisco Finesse Remote File Injection via Client-Side Request Validation Bypass
- CVE-2026-41412MEDIUMalf.io Extension Sandbox File Read Vulnerability
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35078HIGHArbitrary File Deletion in MBS Solutions Gateway Firmware
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)