CVE-2026-10559
Description
SourceCodester Pizzafy Ecommerce System 1.0 is vulnerable to Local File Inclusion via null byte injection in index.php, allowing remote attackers to disclose information or achieve RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Pizzafy Ecommerce System 1.0 is vulnerable to Local File Inclusion via null byte injection in index.php, allowing remote attackers to disclose information or achieve RCE.
Vulnerability
A Local File Inclusion (LFI) vulnerability exists in SourceCodester Pizzafy Ecommerce System version 1.0. The flaw is located in the index.php file, specifically within the page parameter. An attacker can exploit this by using null byte injection (%00) to bypass file extension enforcement and include arbitrary files [1].
Exploitation
An attacker can perform this attack remotely without authentication. By manipulating the page parameter in a GET request to index.php and appending a null byte, an attacker can include files outside the intended directory. A sample payload demonstrating this is ../../apache/logs/access.log%00 [1].
Impact
Successful exploitation can lead to information disclosure by accessing sensitive files such as server logs. Furthermore, it can enable Remote Code Execution (RCE) through techniques like log poisoning, where an attacker injects malicious code into a log file and then includes that log file to execute the code [1].
Mitigation
No specific patched version or release date has been disclosed in the available references. Users are advised to consult vendor advisories for updates. The exploit has been published and may be used [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly validate user input in the 'page' parameter, allowing for file inclusion."
Attack vector
An attacker can perform this attack remotely by manipulating the 'page' argument in a GET request to the index.php file. The payload includes directory traversal characters and a null byte (%00) to bypass file extension enforcement. For example, a payload like '../../apache/logs/access.log%00' can be used to attempt to include sensitive files [ref_id=1]. This bypasses security logic by preventing the automatic appending of a .php extension [ref_id=1].
Affected code
The vulnerability resides in the index.php file, specifically within an unknown function that processes the 'page' parameter. The technical evidence indicates that the inclusion attempt was processed at line 468 of C:\xampp\htdocs\Pizzafy\index.php [ref_id=1].
What the fix does
The advisory recommends several remediation steps. These include implementing strict input validation using a whitelist for the 'page' parameter, normalizing paths using functions like realpath() to keep them within the intended directory, and avoiding direct use of user input in file inclusion functions. It also suggests updating the PHP environment to a version where null byte injection is mitigated, as later versions treat null bytes as invalid characters in file system functions [ref_id=1].
Preconditions
- networkThe attack can be performed from remote.
- inputThe 'page' parameter in index.php is vulnerable to manipulation.
Reproduction
Access the Pizzafy home page: http://localhost/pizzafy/index.php. Append a traversal payload with a null byte to the page parameter to target a known file: http://localhost/pizzafy/index.php?page=../../apache/logs/access.log%00. Analyze the response to confirm the application attempted to include the specified path [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.