MEDIUM 6.3

CVE-2026-10559: File Inclusion in SourceCodester Pizzafy Ecommerce System 1.0

SourceCodester Pizzafy Ecommerce System version 1.0 contains a file inclusion vulnerability in its index.php file. An authenticated attacker can manipulate the 'page' parameter to include arbitrary files, potentially exposing sensitive data or executing unintended code. The vulnerability requires valid credentials but can be exploited over the network without user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-73
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10559 is a Local File Inclusion (LFI) vulnerability classified under CWE-73 (External Control of File Name or Path). The flaw exists in an undocumented function within /index.php where the 'page' parameter is processed without sufficient validation or sanitization. This allows authenticated users to traverse the filesystem and include files beyond the intended application directory. The CVSS 3.1 score of 6.3 (Medium) reflects the requirement for authentication combined with the potential for information disclosure and limited integrity impact.

Business impact

Organizations running Pizzafy Ecommerce System 1.0 in production face risk of unauthorized data exposure, including configuration files, database credentials, or other sensitive application assets. While the vulnerability requires authentication, a compromised or malicious user account can read sensitive files or potentially trigger code execution through file inclusion chains. For e-commerce platforms, this could lead to customer data exposure or business logic manipulation.

Affected systems

SourceCodester Pizzafy Ecommerce System version 1.0 is affected. No other vendor products are listed in the advisory data. Organizations using this specific version should immediately audit their deployments and user access controls.

Exploitability

The exploit is published and actively available. The attack requires an authenticated session (authentication is a prerequisite), but no special privileges or user interaction is needed once inside the application. Network accessibility is direct, making it trivial to exploit from any internet-connected attacker with valid credentials. The low attack complexity and published exploit increase practical risk despite the Medium CVSS score.

Remediation

Primary remediation is to upgrade SourceCodester Pizzafy Ecommerce System to a patched version released after June 2026. Verify the specific patched version against the official SourceCodester advisory. As an interim control, restrict application access via network segmentation or IP allowlisting, and audit user accounts to remove unnecessary administrative or editor-level access. Implement input validation and file inclusion protections such as whitelisting permitted files or using absolute file path resolution without user-controlled traversal.

Patch guidance

Check the official SourceCodester website and security advisories for the patched version addressing CVE-2026-10559. Apply the update immediately to production systems. Test the patch in a staging environment first to ensure compatibility with your custom configurations or third-party integrations. After patching, audit application logs for any historical exploitation attempts using the 'page' parameter manipulation.

Detection guidance

Monitor web server logs for requests to /index.php with suspicious 'page' parameter values, particularly those containing path traversal sequences such as '../', '..\', or encoded variants (%2e%2e). Implement Web Application Firewall (WAF) rules to block file inclusion attacks. Review application access logs for authenticated sessions performing unusual file read operations. Search for references to sensitive files (config, database, .env) in recent HTTP requests from user accounts.

Why prioritize this

Although classified as Medium severity, this vulnerability warrants prompt remediation because exploits are publicly available, the attack surface is the main application entry point (/index.php), and authentication is a common barrier that many organizations underestimate. E-commerce platforms handling customer payment and personal data face elevated business risk from file inclusion attacks. The combination of published exploits and demonstrated attack simplicity elevates practical risk beyond the base CVSS score.

Risk score, explained

CVSS 3.1 score of 6.3 reflects: Network attack vector (AV:N), low attack complexity (AC:L), requirement for prior authentication (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), and limited but real impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). The score does not account for ease of exploitation (published proof-of-concept) or business context (e-commerce data exposure). Organizations should apply additional risk weighting based on their threat model and data sensitivity.

Frequently asked questions

Does this vulnerability affect Pizzafy versions other than 1.0?

The advisory data lists only version 1.0 as affected. However, you should check the official SourceCodester security bulletin and release notes for any information about impact on other versions. Older versions may be vulnerable; newer versions should be verified as patched.

Can an unauthenticated attacker exploit this?

No. The CVSS vector requires PR:L (low privilege), meaning a valid user account and authentication session are prerequisites. However, this should not be underestimated—many organizations have numerous user accounts, and credential compromise or insider threats are realistic attack vectors.

What files are at risk of exposure?

Any file readable by the web server process on the filesystem is potentially accessible, including application configuration files, .env files with database credentials, backup files, or operating system files. The exact scope depends on server hardening and file permissions.

Is there a workaround if I cannot patch immediately?

Mitigation steps include disabling the affected /index.php functionality if not critical, implementing WAF rules to block traversal sequences in the 'page' parameter, restricting application access to trusted networks, and removing unnecessary user accounts. These are temporary only—patching is the required long-term solution.

This analysis is provided for informational and defensive purposes. Verify all patch versions and affected product details against official vendor advisories and your specific deployment configuration. SEC.co does not provide legal advice, incident response services, or liability for decisions made based on this intelligence. Organizations are responsible for their own risk assessment and remediation timelines based on business criticality and threat environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).