CVE-2026-15540 in Online Book Store System
Summary
by MITRE • 07/13/2026
A vulnerability was detected in SourceCodester Online Book Store System 1.0. The affected element is an unknown function of the file /admin/index.php of the component Administrative Interface. Performing a manipulation of the argument page results in improper control of filename for include/require statement in php program. It is possible to initiate the attack remotely. The exploit is now public and may be used.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/13/2026
This vulnerability represents a critical remote code execution risk within the SourceCodester Online Book Store System 1.0 administrative interface. The flaw exists in the /admin/index.php file where an insecure input handling mechanism allows attackers to manipulate the page parameter in include/require statements. This type of vulnerability falls under CWE-95 which specifically addresses improper control of dynamic code generation, execution, or modification. The vulnerability enables arbitrary file inclusion attacks where malicious actors can inject and execute unauthorized PHP code through crafted page parameters.
The technical implementation of this flaw demonstrates a classic path traversal and code injection vulnerability that operates at the application level. When an attacker manipulates the page argument parameter, the system fails to properly validate or sanitize the input before using it in dynamic include statements. This creates an environment where attackers can reference arbitrary files on the server filesystem, potentially leading to full system compromise. The remote exploitability aspect means that attackers do not require local access to the system and can leverage this vulnerability from external networks.
The operational impact of this vulnerability extends beyond simple code execution capabilities. Attackers can potentially escalate privileges, gain persistent access, or extract sensitive data from the compromised system. This vulnerability directly maps to several ATT&CK techniques including T1059 for command and scripting interpreter and T1566 for phishing with malicious attachments or links. The public availability of exploits increases the risk profile significantly as it eliminates the need for advanced technical skills to exploit this weakness.
Mitigation strategies should focus on implementing proper input validation and sanitization mechanisms throughout the application code. All user-supplied input must be rigorously validated before being used in dynamic include statements, with strict whitelisting approaches preferred over blacklisting methods. The system should employ proper parameterized queries and avoid dynamic code execution where possible. Additionally, implementing least privilege access controls for administrative interfaces, disabling unnecessary PHP functions, and maintaining up-to-date security patches will significantly reduce the attack surface. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the application. The vulnerability also highlights the importance of following secure coding practices as outlined in OWASP Top Ten and NIST cybersecurity frameworks for preventing such critical flaws in web applications.