CVE-2026-10694
Description
SourceCodester Online Food Ordering System 2.0 is vulnerable to Local File Inclusion via the 'page' parameter in index.php, allowing remote attackers to read sensitive files or execute code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Online Food Ordering System 2.0 is vulnerable to Local File Inclusion via the 'page' parameter in index.php, allowing remote attackers to read sensitive files or execute code.
Vulnerability
A Local File Inclusion (LFI) vulnerability exists in SourceCodester Online Food Ordering System version 2.0, specifically within the /index.php and /admin/index.php files. The vulnerability stems from the direct use of the page parameter's value in a PHP include statement without proper sanitization or path validation, making it susceptible to manipulation [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication. By manipulating the page parameter in a request to /index.php, an attacker can trick the application into including arbitrary files from the server. This can be achieved by appending directory traversal sequences (e.g., ../) to the parameter's value, potentially leading to the inclusion of sensitive system files or PHP wrappers for code execution [1].
Impact
Successful exploitation of this LFI vulnerability allows an attacker to read sensitive files on the server, such as database configuration files containing credentials. Furthermore, attackers may be able to include arbitrary PHP files, leading to remote code execution, or use PHP stream wrappers to extract source code from various files, compromising the confidentiality and integrity of the system [1].
Mitigation
No specific patched version or release date has been disclosed in the available references. Users are advised to consult vendor advisories for updates. As of the publication of this CVE, no workarounds have been officially provided, and the exploit is publicly available [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User input from the 'page' parameter is passed directly to a PHP include statement without sanitization or path restriction [ref_id=1]."
Attack vector
An attacker can remotely exploit this vulnerability by manipulating the 'page' parameter in a GET request. By providing crafted input, such as 'php://filter/convert.base64-encode/resource=admin/db_connect', an attacker can include arbitrary files or use PHP stream wrappers to read sensitive source code, like database credentials [ref_id=1]. No login or authorization is required to exploit this vulnerability [ref_id=1].
Affected code
The vulnerability exists in the '/index.php' file on line 63 and the '/admin/index.php' file on line 36 [ref_id=1]. Specifically, the 'page' parameter in these files is directly used in an include statement without proper validation [ref_id=1].
What the fix does
The advisory suggests several remediation strategies. One approach is to maintain a strict whitelist of allowed page names and reject any request that does not match an allowed value [ref_id=1]. Another recommendation is to disable PHP wrappers like php://filter by setting 'allow_url_include = Off' and 'allow_url_fopen = Off' in php.ini [ref_id=1]. Additionally, using basename() to strip directory traversal components before passing the page parameter to include is advised [ref_id=1]. Regular security audits are also recommended [ref_id=1].
Preconditions
- inputThe 'page' parameter in a GET request.
- networkThe attack can be launched remotely.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.