Skip to main content

Online Food Ordering System CVE-2026-10694

| EUVD-2026-34059 MEDIUM
External Control of File Name or Path (CWE-73)
2026-06-03 VulDB GHSA-4wh8-2pqj-9gw4
Information Disclosure PHP
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 03, 2026 - 01:22 NVD
HIGH MEDIUM
CVSS changed
Jun 03, 2026 - 01:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
Jun 03, 2026 - 00:44 vuln.today

DescriptionCVE.org

A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used.

AnalysisAI

File inclusion in SourceCodester Online Food Ordering System 2.0 allows remote attackers to manipulate the 'page' parameter of /index.php to include arbitrary files via the application's include() function. Publicly available exploit code exists (referenced on GitHub), and the CVSS 7.3 score combined with no authentication or user interaction requirements (AV:N/AC:L/PR:N/UI:N) makes this trivially exploitable against any exposed deployment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Online Food Ordering instance
Delivery
Send GET /index.php?page=../../../etc/passwd
Exploit
include() resolves traversal path
Execution
Sensitive files returned in HTTP response
Persist
Harvest credentials from config files
Impact
Optionally escalate via allow_url_include to RCE
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the Online Food Ordering System v2.0 application be reachable over HTTP/HTTPS and that /index.php accept the 'page' GET parameter, which is the application's default routing behavior - no authentication, no user interaction, and no non-default configuration are needed for at least local file disclosure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The combined signals point to a real, easily exploited bug but with bounded impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-exposed Online Food Ordering System instance via a Shodan or Google dork search and sends a single crafted request such as GET /index.php?page=../../../../etc/passwd to read sensitive files outside the web root, including configuration files containing database credentials. With public PoC code available on GitHub, this can be automated as part of mass-scanning sweeps targeting PHP applications. …
Remediation No vendor-released patch identified at time of analysis - SourceCodester projects are typically community-distributed scripts without formal patch pipelines, so administrators should plan to fix the code in place. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Conduct inventory of all production instances of SourceCodester Online Food Ordering System 2.0; immediately implement network access controls or Web Application Firewall rules blocking suspicious 'page' parameter values and path traversal sequences. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-10694 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy