Description
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used.
Published: 2026-06-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in SourceCodester Pizzafy Ecommerce System 1.0 arises from an unchecked handling of the 'page' argument in index.php, enabling file inclusion and allowing an attacker to inject arbitrary file paths. This can lead to disclosure of sensitive files or execution of malicious scripts, thereby compromising confidentiality, integrity, and potentially availability of the application. The weakness is classified as CWE-73.

Affected Systems

SourceCodester Pizzafy Ecommerce System version 1.0 is affected. No additional vendor or product versions are specified.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating a moderate severity. While the EPSS score is not available, the published exploit and the possibility of remote exploitation suggest a realistic threat. The lack of a KEV listing does not diminish the likelihood that an attacker could leverage the flaw to include files from the server or external sources, posing a tangible risk to deployed instances.

Generated by OpenCVE AI on June 2, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s security patch that fixes the file‑inclusion flaw in index.php.
  • Enforce a strict whitelist or pattern check on the 'page' parameter so that only known, safe page names are accepted.
  • Disable external file inclusion in PHP by setting allow_url_fopen=Off and configuring the open_basedir restriction to limit file access to the application’s directory.
  • Ensure file permissions and web server configuration prevent execution of arbitrary scripts that could be dropped through the vulnerable inclusion mechanism.

Generated by OpenCVE AI on June 2, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used.
Title SourceCodester Pizzafy Ecommerce System index.php file inclusion
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Weaknesses CWE-73
CPEs cpe:2.3:a:sourcecodester:pizzafy_ecommerce_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-02T15:45:21.472Z

Reserved: 2026-06-01T14:59:42.789Z

Link: CVE-2026-10559

cve-icon Vulnrichment

Updated: 2026-06-02T14:39:50.794Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T02:16:15.747

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T02:30:16Z

Weaknesses