Vulnerabilities ›

CVE-2026-10558

Medium

CWE-73 — Weakness Type

                    Published: Jun 2, 2026                      ·  Modified: Jun 5, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in file inclusion. The attack is possible to be carried out remotely. The exploit is now public and may be used.

🤖 AI Executive Summary

CVE-2026-10558 is a remote file inclusion (RFI) vulnerability in SourceCodester Pizzafy Ecommerce System 1.0 affecting the /admin/index.php file through the 'page' parameter manipulation. With a CVSS score of 6.3 and public exploit availability, this poses a moderate risk to organizations using this e-commerce platform. No patch is currently available, requiring immediate compensating controls and system isolation.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 2, 2026 14:16

🇸🇦 Saudi Arabia Impact Assessment

Saudi e-commerce businesses, particularly small to medium enterprises (SMEs) in retail and food service sectors using Pizzafy, face direct compromise risk. Government procurement portals and ARAMCO subsidiary e-commerce systems using this platform could be impacted. Banking sector exposure is moderate if payment processing is integrated. Telecom companies (STC, Mobily) operating e-commerce platforms are at risk. Healthcare sector e-commerce systems for pharmaceutical distribution could be compromised. The vulnerability allows unauthorized file access and potential remote code execution, threatening data confidentiality and system integrity.

🏢 Affected Saudi Sectors

Retail and E-commerce Food Service and Restaurants Government Procurement Banking and Financial Services Telecommunications Healthcare and Pharmaceuticals Energy Sector

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1105 - Ingress Tool Transfer T1059 - Command and Scripting Interpreter T1083 - File and Directory Discovery T1087 - Account Discovery T1040 - Traffic Sniffing T1566 - Phishing

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of Pizzafy Ecommerce System 1.0 in your environment and isolate affected systems from production networks

2. Implement Web Application Firewall (WAF) rules to block requests containing suspicious 'page' parameter values (e.g., file paths, protocol handlers like php://, file://, http://)

3. Restrict access to /admin/index.php to authorized IP addresses only using network-level controls

4. Enable comprehensive logging and monitoring of all requests to /admin/index.php

PATCHING GUIDANCE:

5. Contact SourceCodester for patch availability or consider upgrading to a patched version if available

6. If no patch is available, plan immediate migration to alternative e-commerce platforms (Magento, WooCommerce, OpenCart with current security patches)

COMPENSATING CONTROLS:

7. Implement input validation: whitelist allowed 'page' parameter values and reject any containing path traversal sequences (../, ..\\ ) or protocol handlers

8. Disable PHP's allow_url_include and allow_url_fopen directives in php.ini

9. Apply principle of least privilege to web server process user accounts

10. Implement file integrity monitoring on critical application files

DETECTION RULES:

11. Monitor for HTTP requests to /admin/index.php with 'page' parameters containing: file://, php://, http://, https://, ../, ..\\ , or encoded variants

12. Alert on any 403/404 errors followed by successful requests to /admin/index.php

13. Track failed authentication attempts to /admin/index.php

14. Monitor for unusual file access patterns or process execution from web server process

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع نسخ نظام Pizzafy للتجارة الإلكترونية الإصدار 1.0 في بيئتك وعزل الأنظمة المتأثرة عن شبكات الإنتاج

2. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على قيم معاملات 'page' مريبة (مثل مسارات الملفات، معالجات البروتوكول مثل php://، file://، http://)

3. قيد الوصول إلى /admin/index.php على عناوين IP المصرح بها فقط باستخدام ضوابط على مستوى الشبكة

4. فعّل التسجيل والمراقبة الشاملة لجميع الطلبات إلى /admin/index.php

إرشادات التصحيح:

5. اتصل بـ SourceCodester للتحقق من توفر التصحيح أو فكر في الترقية إلى نسخة مصححة إن أمكن

6. إذا لم يكن هناك تصحيح متاح، خطط للهجرة الفورية إلى منصات تجارة إلكترونية بديلة (Magento، WooCommerce، OpenCart مع التصحيحات الأمنية الحالية)

الضوابط التعويضية:

7. طبق التحقق من صحة المدخلات: قائمة بيضاء لقيم معاملات 'page' المسموحة ورفض أي منها يحتوي على تسلسلات اجتياز المسارات (../ أو ..\\ ) أو معالجات البروتوكول

8. عطّل توجيهات allow_url_include و allow_url_fopen في php.ini

9. طبق مبدأ أقل امتياز على حسابات مستخدمي عملية خادم الويب

10. طبق مراقبة سلامة الملفات على ملفات التطبيق الحرجة

قواعد الكشف:

11. راقب طلبات HTTP إلى /admin/index.php مع معاملات 'page' تحتوي على: file://، php://، http://، https://، ../، ..\\ ، أو متغيرات مشفرة

12. أصدر تنبيهات عند أخطاء 403/404 متبوعة بطلبات ناجحة إلى /admin/index.php

13. تتبع محاولات المصادقة الفاشلة إلى /admin/index.php

14. راقب أنماط الوصول إلى الملفات غير العادية أو تنفيذ العمليات من عملية خادم الويب

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.6.1.1 - Access Control Policy A.6.2.1 - User Registration and De-registration A.8.2.1 - Classification of Information A.8.2.3 - Handling of Assets A.12.2.1 - Controls Against Malware A.12.4.1 - Event Logging A.12.4.3 - Administrator and Operator Logs A.13.1.1 - Information Security Incident Procedures

🔵 SAMA CSF

ID.AM-2 - Software Inventory PR.AC-1 - Access Control Policy PR.AC-4 - Access Rights Management PR.DS-2 - Data Security PR.PT-1 - Security Awareness and Training DE.AE-1 - Anomalies and Events Detection DE.CM-1 - System Monitoring RS.AN-1 - Incident Analysis

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.6.1.1 - Information security roles and responsibilities A.8.1.1 - Inventory of assets A.8.2.3 - Handling of assets A.12.2.1 - Controls against malware A.12.4.1 - Event logging A.12.4.3 - Administrator and operator logs A.13.1.1 - Reporting information security events and weaknesses

🟣 PCI DSS v4.0.1

Requirement 1.1 - Firewall Configuration Standards Requirement 2.2.4 - Configure System Security Parameters Requirement 6.2 - Ensure Security Patches Installed Requirement 6.5.1 - Injection Flaws Requirement 10.2.1 - User Access Logging Requirement 10.3.1 - Failed Access Attempts Logging

🔗 References & Sources 6

🔗

https://github.com/cyber-bhaskar10/CVE-Writeups/blob/main/CVE%20Writeup%20Local%20File%...

cna@vuldb.com

🔗

https://vuldb.com/cve/CVE-2026-10558

cna@vuldb.com

🔗

https://vuldb.com/submit/828785

cna@vuldb.com

🔗

https://vuldb.com/vuln/367648

cna@vuldb.com

🔗

https://vuldb.com/vuln/367648/cti

cna@vuldb.com

🔗

https://www.sourcecodester.com/

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-73

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-06-02

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-73

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-10558

Introduce Yourself

Sign In Required