CVE-2026-10559: File Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
SourceCodester Pizzafy Ecommerce System version 1.0 contains a file inclusion vulnerability in its index.php file. An authenticated attacker can manipulate the 'page' parameter to include arbitrary files, potentially exposing sensitive data or executing unintended code. The vulnerability requires valid credentials but can be exploited over the network without user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-73
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10559 is a Local File Inclusion (LFI) vulnerability classified under CWE-73 (External Control of File Name or Path). The flaw exists in an undocumented function within /index.php where the 'page' parameter is processed without sufficient validation or sanitization. This allows authenticated users to traverse the filesystem and include files beyond the intended application directory. The CVSS 3.1 score of 6.3 (Medium) reflects the requirement for authentication combined with the potential for information disclosure and limited integrity impact.
Business impact
Organizations running Pizzafy Ecommerce System 1.0 in production face risk of unauthorized data exposure, including configuration files, database credentials, or other sensitive application assets. While the vulnerability requires authentication, a compromised or malicious user account can read sensitive files or potentially trigger code execution through file inclusion chains. For e-commerce platforms, this could lead to customer data exposure or business logic manipulation.
Affected systems
SourceCodester Pizzafy Ecommerce System version 1.0 is affected. No other vendor products are listed in the advisory data. Organizations using this specific version should immediately audit their deployments and user access controls.
Exploitability
The exploit is published and actively available. The attack requires an authenticated session (authentication is a prerequisite), but no special privileges or user interaction is needed once inside the application. Network accessibility is direct, making it trivial to exploit from any internet-connected attacker with valid credentials. The low attack complexity and published exploit increase practical risk despite the Medium CVSS score.
Remediation
Primary remediation is to upgrade SourceCodester Pizzafy Ecommerce System to a patched version released after June 2026. Verify the specific patched version against the official SourceCodester advisory. As an interim control, restrict application access via network segmentation or IP allowlisting, and audit user accounts to remove unnecessary administrative or editor-level access. Implement input validation and file inclusion protections such as whitelisting permitted files or using absolute file path resolution without user-controlled traversal.
Patch guidance
Check the official SourceCodester website and security advisories for the patched version addressing CVE-2026-10559. Apply the update immediately to production systems. Test the patch in a staging environment first to ensure compatibility with your custom configurations or third-party integrations. After patching, audit application logs for any historical exploitation attempts using the 'page' parameter manipulation.
Detection guidance
Monitor web server logs for requests to /index.php with suspicious 'page' parameter values, particularly those containing path traversal sequences such as '../', '..\', or encoded variants (%2e%2e). Implement Web Application Firewall (WAF) rules to block file inclusion attacks. Review application access logs for authenticated sessions performing unusual file read operations. Search for references to sensitive files (config, database, .env) in recent HTTP requests from user accounts.
Why prioritize this
Although classified as Medium severity, this vulnerability warrants prompt remediation because exploits are publicly available, the attack surface is the main application entry point (/index.php), and authentication is a common barrier that many organizations underestimate. E-commerce platforms handling customer payment and personal data face elevated business risk from file inclusion attacks. The combination of published exploits and demonstrated attack simplicity elevates practical risk beyond the base CVSS score.
Risk score, explained
CVSS 3.1 score of 6.3 reflects: Network attack vector (AV:N), low attack complexity (AC:L), requirement for prior authentication (PR:L), no user interaction needed (UI:N), unchanged scope (S:U), and limited but real impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). The score does not account for ease of exploitation (published proof-of-concept) or business context (e-commerce data exposure). Organizations should apply additional risk weighting based on their threat model and data sensitivity.
Frequently asked questions
Does this vulnerability affect Pizzafy versions other than 1.0?
The advisory data lists only version 1.0 as affected. However, you should check the official SourceCodester security bulletin and release notes for any information about impact on other versions. Older versions may be vulnerable; newer versions should be verified as patched.
Can an unauthenticated attacker exploit this?
No. The CVSS vector requires PR:L (low privilege), meaning a valid user account and authentication session are prerequisites. However, this should not be underestimated—many organizations have numerous user accounts, and credential compromise or insider threats are realistic attack vectors.
What files are at risk of exposure?
Any file readable by the web server process on the filesystem is potentially accessible, including application configuration files, .env files with database credentials, backup files, or operating system files. The exact scope depends on server hardening and file permissions.
Is there a workaround if I cannot patch immediately?
Mitigation steps include disabling the affected /index.php functionality if not critical, implementing WAF rules to block traversal sequences in the 'page' parameter, restricting application access to trusted networks, and removing unnecessary user accounts. These are temporary only—patching is the required long-term solution.
This analysis is provided for informational and defensive purposes. Verify all patch versions and affected product details against official vendor advisories and your specific deployment configuration. SEC.co does not provide legal advice, incident response services, or liability for decisions made based on this intelligence. Organizations are responsible for their own risk assessment and remediation timelines based on business criticality and threat environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10558MEDIUMSourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
- CVE-2026-20175MEDIUMCisco Finesse Remote File Injection via Client-Side Request Validation Bypass
- CVE-2026-41412MEDIUMalf.io Extension Sandbox File Read Vulnerability
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35078HIGHArbitrary File Deletion in MBS Solutions Gateway Firmware
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)