Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10694

CVE-2026-10694: Food Ordering System RCE Vulnerability

CVE-2026-10694 is a remote code execution vulnerability in SourceCodester Online Food Ordering System 2.0 caused by file inclusion flaws. Attackers can exploit this remotely to execute malicious code. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-10694 Overview

CVE-2026-10694 is a file inclusion vulnerability affecting SourceCodester Online Food Ordering System 2.0. The flaw resides in the include function within /index.php, where the page parameter is processed without proper validation. Attackers can manipulate this argument to include arbitrary files, exposing sensitive application data or enabling further compromise. The vulnerability is exploitable remotely and requires no authentication or user interaction. Public exploit details have been disclosed, increasing the likelihood of opportunistic attacks against exposed installations. The weakness is categorized under [CWE-73] (External Control of File Name or Path).

Critical Impact

Remote unauthenticated attackers can manipulate the page parameter in /index.php to perform file inclusion attacks against affected installations.

Affected Products

  • SourceCodester Online Food Ordering System 2.0
  • /index.php component using the include function
  • Deployments exposing the page parameter to untrusted input

Discovery Timeline

  • 2026-06-03 - CVE-2026-10694 published to NVD
  • 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-10694

Vulnerability Analysis

The vulnerability stems from unsafe use of PHP's include construct inside /index.php. The application takes the page request parameter and passes it directly to a file inclusion routine without sanitization or allow-listing. An attacker supplies a crafted value to control which file the server loads at runtime. Depending on server configuration, this enables Local File Inclusion (LFI) against readable files on the host. If allow_url_include is enabled, the same primitive may extend to Remote File Inclusion (RFI). The behavior is reachable over the network and does not require authentication, which broadens the exposed attack surface for any internet-facing deployment.

Root Cause

The root cause is external control of a file path argument passed to include ([CWE-73]). User-supplied data flows into a file system operation without normalization, canonicalization, or validation against an explicit allow-list of permitted page identifiers.

Attack Vector

An attacker issues an HTTP GET request to /index.php with a malicious page parameter referencing an unintended file path. Successful exploitation can expose configuration files, source code, or session data, and may chain with file upload weaknesses to achieve code execution. The exploit is publicly disclosed via VulDB and a related GitHub issue, lowering the barrier to weaponization.

No verified proof-of-concept code is reproduced here. See the GitHub Issue Discussion and VulDB Vulnerability Details for technical references.

Detection Methods for CVE-2026-10694

Indicators of Compromise

  • HTTP requests to /index.php containing page parameter values with path traversal sequences such as ../, encoded variants like %2e%2e%2f, or null byte injection attempts.
  • Web server access logs showing inclusion of unexpected file paths or references to sensitive system files like /etc/passwd or PHP configuration files.
  • Outbound HTTP requests originating from the web server process when allow_url_include is enabled, indicating possible remote file inclusion.

Detection Strategies

  • Inspect web server and application logs for anomalous page parameter values that deviate from the expected set of page identifiers used by the application.
  • Deploy Web Application Firewall (WAF) rules that flag directory traversal patterns and known LFI payloads against the /index.php endpoint.
  • Correlate file system access events with the web server process to identify reads of files outside the application's intended document root.

Monitoring Recommendations

  • Centralize PHP and web server logs in a SIEM and alert on repeated 200-status responses for varying page values from the same client.
  • Monitor for new outbound connections from the PHP-FPM or Apache process, which may indicate RFI exploitation.
  • Track file integrity on web root directories to detect attacker-uploaded payloads referenced through the inclusion primitive.

How to Mitigate CVE-2026-10694

Immediate Actions Required

  • Restrict access to the affected application to trusted networks until a vendor fix is applied.
  • Implement a server-side allow-list that maps the page parameter to a fixed set of permitted file names before any include operation.
  • Disable allow_url_include and allow_url_fopen in php.ini to prevent remote file inclusion variants.
  • Review web server logs for prior exploitation attempts and validate the integrity of the application's file system.

Patch Information

No vendor patch is referenced in the available data. SourceCodester maintainers should be consulted via the SourceCodester website and the GitHub Issue Discussion for remediation status. Until an official fix is published, code-level mitigation through input validation and allow-listing is required.

Workarounds

  • Place the application behind a WAF with rules blocking path traversal sequences and protocol wrappers such as php://, file://, and data:// in query parameters.
  • Run the PHP process under a least-privilege user account and use open_basedir restrictions to confine file system access to the application directory.
  • If the application is non-essential, take it offline until the vendor releases a patched version.
bash
# Example php.ini hardening to reduce file inclusion risk
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/online-food-ordering/:/tmp/"
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.