bookcars CVE-2026-36722
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file.
AnalysisAI
Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.
Technical ContextAI
bookcars is an open-source car rental platform. The vulnerable component is the /api/create-car-image API endpoint, which accepts file uploads for vehicle images. CWE-434 (Unrestricted Upload of File with Dangerous Type) describes server-side endpoints that accept user-supplied files without validating content type, extension, or magic bytes against an allowlist of safe formats. If the upload directory is web-accessible and the server interprets server-side scripts (e.g., PHP), an attacker can upload a script disguised as an image and trigger execution via a direct HTTP request to the stored file. The CPE entry is listed as cpe:2.3:a:n/a:n/a, meaning NVD has not assigned a normalized CPE identifier for bookcars v8.3, which limits automated scanner detection.
RemediationAI
No vendor-released patch has been identified at time of analysis. The primary remediation is to implement strict server-side file type validation on the /api/create-car-image endpoint: validate file extensions against an allowlist (e.g., .jpg, .png, .webp only), inspect file magic bytes independent of extension, and reject any file whose MIME type does not match an allowed image format. Store uploaded files outside the web root or in a dedicated object storage bucket (e.g., S3) to prevent direct HTTP execution of uploaded scripts - this is the most impactful compensating control since it breaks the execution step even if upload succeeds. Additionally, rename uploaded files to randomized UUIDs with enforced extensions to prevent predictable access. If the upload feature is non-essential, consider disabling the /api/create-car-image endpoint at the application or reverse proxy layer until a patch is available. The community disclosure is available at https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-16 and should be monitored for patch announcements.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Share
External POC / Exploit Code
Leaving vuln.today