CVE-2026-10558
Description
SourceCodester Pizzafy Ecommerce System 1.0 is vulnerable to Local File Inclusion via the page parameter in admin/index.php, allowing remote attackers to read sensitive files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Pizzafy Ecommerce System 1.0 is vulnerable to Local File Inclusion via the page parameter in admin/index.php, allowing remote attackers to read sensitive files.
Vulnerability
A Local File Inclusion (LFI) vulnerability exists in SourceCodester Pizzafy Ecommerce System version 1.0. The page parameter in /admin/index.php does not properly sanitize user input before passing it to a PHP include() function. This allows for directory traversal, potentially leading to the inclusion of sensitive files. The vulnerability is reachable via remote requests [1].
Exploitation
An attacker can exploit this vulnerability by manipulating the page parameter in a GET request to http://localhost/pizzafy/admin/index.php. By providing directory traversal sequences such as ../../../../../../, an attacker can bypass intended directory restrictions. The application appends a .php extension to the input, but the traversal sequences allow access to files outside the intended directory [1].
Impact
Successful exploitation can lead to Information Disclosure, allowing attackers to read sensitive system files like win.ini or /etc/passwd. It can also result in Source Code Leakage, potentially exposing database credentials or other hardcoded secrets. In certain scenarios, if combined with file upload or log poisoning, it could lead to Remote Code Execution (RCE) [1].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult the vendor for the latest security updates. The exploit is publicly available [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'page' parameter in index.php does not properly validate user input before including files, allowing directory traversal."
Attack vector
An attacker can exploit this vulnerability by sending a crafted GET request to the `/admin/index.php` endpoint. By manipulating the 'page' parameter with directory traversal sequences (e.g., '../../../..'), an attacker can bypass intended directory restrictions. The application then attempts to include a file based on this manipulated path, potentially leading to file inclusion. The attack is possible remotely and does not require authentication [ref_id=1].
Affected code
The vulnerability resides in the `/admin/index.php` file of the SourceCodester Pizzafy Ecommerce System. Specifically, the 'page' parameter is processed without adequate validation or sanitization before being used in a PHP `include()` function. This allows for directory traversal payloads to be passed, leading to the inclusion of unintended files [ref_id=1].
What the fix does
The advisory recommends avoiding direct use of user-supplied input in file system operations. A suggested mitigation involves whitelisting allowed page values and only including pages present in a predefined list. Alternatively, sanitizing input using functions like `basename()` can help strip directory paths, although whitelisting is considered more secure. Disabling remote file inclusion in `php.ini` is also advised [ref_id=1].
Preconditions
- networkThe vulnerable application must be accessible over the network.
- inputThe attacker must be able to control the 'page' GET parameter.
Reproduction
Navigate to the admin panel at `http://localhost/pizzafy/admin/index.php`. Modify the URL by adding the 'page' parameter with a directory traversal sequence, for example: `http://localhost/pizzafy/admin/index.php?page=../../../../../../windows/win.ini`. Observe the server response, which will either render the contents of the requested file or display a PHP error confirming the attempt [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.