Skip to main content

bookcars CVE-2026-36722

MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-09 mitre
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 10, 2026 - 18:22 vuln.today
CVSS changed
Jun 10, 2026 - 18:22 NVD
5.4 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file.

AnalysisAI

Arbitrary file upload via the /api/create-car-image endpoint in bookcars v8.3 enables server-side code execution by uploading a crafted file (e.g., a web shell). The vulnerability targets an image upload API that fails to restrict file types per CWE-434. No public exploit identified at time of analysis, and EPSS sits at 0.02% (6th percentile), indicating negligible observed exploitation pressure - however, two data conflicts significantly affect confidence: the description asserts an authenticated attacker is required while the CVSS vector records PR:N (no privileges required), and the CVSS impact scores of C:L/I:L are inconsistent with the claimed remote code execution outcome.

Technical ContextAI

bookcars is an open-source car rental platform. The vulnerable component is the /api/create-car-image API endpoint, which accepts file uploads for vehicle images. CWE-434 (Unrestricted Upload of File with Dangerous Type) describes server-side endpoints that accept user-supplied files without validating content type, extension, or magic bytes against an allowlist of safe formats. If the upload directory is web-accessible and the server interprets server-side scripts (e.g., PHP), an attacker can upload a script disguised as an image and trigger execution via a direct HTTP request to the stored file. The CPE entry is listed as cpe:2.3:a:n/a:n/a, meaning NVD has not assigned a normalized CPE identifier for bookcars v8.3, which limits automated scanner detection.

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary remediation is to implement strict server-side file type validation on the /api/create-car-image endpoint: validate file extensions against an allowlist (e.g., .jpg, .png, .webp only), inspect file magic bytes independent of extension, and reject any file whose MIME type does not match an allowed image format. Store uploaded files outside the web root or in a dedicated object storage bucket (e.g., S3) to prevent direct HTTP execution of uploaded scripts - this is the most impactful compensating control since it breaks the execution step even if upload succeeds. Additionally, rename uploaded files to randomized UUIDs with enforced extensions to prevent predictable access. If the upload feature is non-essential, consider disabling the /api/create-car-image endpoint at the application or reverse proxy layer until a patch is available. The community disclosure is available at https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-16 and should be monitored for patch announcements.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy