CVE-2026-10694: Remote File Inclusion in SourceCodester Online Food Ordering System 2.0
SourceCodester's Online Food Ordering System version 2.0 contains a file inclusion vulnerability in its index.php page parameter. An unauthenticated attacker can supply a malicious page argument to cause the application to include and execute arbitrary files, potentially from the local filesystem or remote sources. This vulnerability requires no user interaction and can be exploited over the network. Public exploits are available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-73
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10694 is a remote file inclusion (RFI) / local file inclusion (LFI) vulnerability stemming from improper input validation on the 'page' parameter processed by the include() function in /index.php of SourceCodester Online Food Ordering System 2.0. The application fails to sanitize or restrict the page argument, allowing an attacker to manipulate the file inclusion logic. The vulnerability is classified under CWE-73 (External Control of File Name or Path). With a CVSS v3.1 score of 7.3 (HIGH), the attack vector is network-based, requires no authentication or user interaction, and can result in confidentiality, integrity, and availability impacts.
Business impact
Successful exploitation could allow attackers to read sensitive files from the server (such as configuration files containing database credentials), modify application behavior, inject malicious code, or execute arbitrary operations with the privileges of the web server process. For food ordering systems, this could expose customer payment information, personal delivery addresses, and business operational data. Additionally, attackers could use the compromised system as a pivot point for lateral movement within the network or deploy malware.
Affected systems
SourceCodester Online Food Ordering System version 2.0 is confirmed vulnerable. Organizations running this application in production environments should assume they are at risk. The vulnerability affects all instances of the affected version regardless of deployment configuration, since exploitation requires no authentication or special privileges.
Exploitability
This vulnerability is highly exploitable. The attack surface is trivial—exploitation requires only crafting a URL with a malicious page parameter and sending an HTTP request. No authentication is required, no user interaction is necessary, and the exploit can be launched entirely remotely. Public exploit code is available, meaning threat actors have ready-to-use tools. The low complexity and absence of prerequisites make this vulnerability attractive to both opportunistic and targeted attackers.
Remediation
Upgrade SourceCodester Online Food Ordering System to a patched version released after June 17, 2026 (verify the exact version against the vendor advisory). If an immediate upgrade is not possible, implement strict input validation on the page parameter to reject path traversal sequences (../, ..\ etc.) and restrict includes to a whitelist of allowed files. Consider disabling dynamic file inclusion altogether in favor of a switch statement or routing mechanism. Apply network-level controls to restrict access to the application if it is not required to be internet-facing.
Patch guidance
Contact SourceCodester or monitor their official release channels for a security patch addressing CVE-2026-10694. The vulnerability was published on June 3, 2026 and modified on June 17, 2026; patch releases may have been issued around or after these dates. Verify the specific patched version number against the vendor's security advisory before deployment. Testing in a non-production environment is recommended prior to applying patches to production systems.
Detection guidance
Monitor web server access logs for suspicious patterns in the page parameter, such as path traversal sequences (../, ..\ , …./ ), encoded variants (%2e%2e), protocol schemes (http://, ftp://), or attempts to access sensitive files (/etc/passwd, config files). Intrusion detection systems should flag requests to /index.php with anomalous page values. Application-level logging of included files can help identify exploitation attempts. Network-based detection tools should look for characteristics consistent with file inclusion attacks.
Why prioritize this
Despite not being on the KEV catalog, this vulnerability warrants immediate remediation due to its HIGH CVSS score (7.3), public exploit availability, lack of authentication requirements, and ease of exploitation. File inclusion vulnerabilities are frequently exploited in attacks against web applications, and their presence on internet-facing systems creates substantial risk. The straightforward attack vector combined with real-world impact on data confidentiality, integrity, and availability justifies urgent patching.
Risk score, explained
The CVSS v3.1 score of 7.3 (HIGH) reflects a network-accessible vulnerability with low attack complexity and no privilege or user interaction requirements. The scoring acknowledges partial impacts to confidentiality, integrity, and availability—attackers can read files, modify content, or disrupt service depending on exploitation method and server configuration. While not critical, the practical exploitability and real-world consequences of file inclusion attacks place this in the high-priority category for most organizations.
Frequently asked questions
Can this vulnerability be exploited without internet access?
No, exploitation requires network access to the vulnerable application. However, 'network' in CVSS means reachable over a network protocol—this includes both internet-facing instances and internal deployments accessible from the local network. Any network exposure creates risk.
Is there a workaround if we cannot patch immediately?
Partial mitigation is possible through input validation: reject page parameter values containing ../, ..\, protocol schemes, or other suspicious patterns. However, this is not a substitute for patching. Additionally, restricting network access to the application via firewall rules or network segmentation can reduce exposure while you prepare for an upgrade.
What is the difference between local and remote file inclusion in this context?
Local File Inclusion (LFI) allows reading files from the server's filesystem (e.g., /etc/passwd). Remote File Inclusion (RFI) allows loading files from external servers if the server's PHP configuration permits it. Both are possible depending on server settings, but LFI alone is sufficient for serious compromise (credential theft, code injection via log files, etc.).
Why is this not listed in the KEV catalog?
The Cybersecurity and Infrastructure Security Agency (CISA) KEV catalog prioritizes vulnerabilities with evidence of active exploitation in the wild. While CVE-2026-10694 has public exploits available, it may not yet meet CISA's specific criteria for catalog inclusion or may be newly published. Regardless of KEV status, the vulnerability's technical characteristics and exploitability warrant urgent attention.
This analysis is based on the vulnerability details published as of June 17, 2026. Security researchers and organizations should consult the official SourceCodester vendor advisory and CVSS documentation for authoritative information. Patch version numbers and specific remediation steps should be verified against vendor-provided guidance. Organizations should conduct their own risk assessments and testing before applying security updates in production environments. This analysis is for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35078HIGHArbitrary File Deletion in MBS Solutions Gateway Firmware
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35080HIGHMBS Solutions Gateway Firmware Arbitrary File Deletion Vulnerability
- CVE-2026-10558MEDIUMSourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
- CVE-2026-10559MEDIUMFile Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
- CVE-2026-20175MEDIUMCisco Finesse Remote File Injection via Client-Side Request Validation Bypass