Is Visitor Management System affected by CVE-2026-37748?

Visitor Management System 1.0 contains a critical remote code execution vulnerability in administrator file upload functions that allows authenticated admins to deploy malicious PHP code directly to the server, potentially compromising facility access controls and related business systems.

Visitor Management System CVE-2026-37748

EUVD-2026-24139 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-04-21 mitre

GHSA-3pw2-2fp4-54wm

PHP RCE File Upload

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 16:07 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 19:23 vuln.today

CVSS changed

Apr 21, 2026 - 19:22 NVD

7.2 (None) 7.2 (HIGH)

DescriptionNVD

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell and achieve Remote Code Execution on the server.

AnalysisAI

Remote code execution in Visitor Management System 1.0 allows authenticated administrators to upload PHP webshells via two unvalidated file upload endpoints (admin_user_insert.php and update_1.php). The move_uploaded_file() function lacks MIME type, extension, and content validation, enabling direct server compromise. …

RemediationAI

Within 24 hours: Identify all systems running Visitor Management System 1.0 and document current versions; restrict administrative access to admin_user_insert.php and update_1.php endpoints via network firewall or WAF rules blocking POST/file uploads. Within 7 days: Conduct forensic audit of file upload directories and admin logs for unauthorized PHP files or suspicious administrative activity dating back 90 days; isolate affected systems from production networks if compromise indicators are found. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-37748 vulnerability details – vuln.today

Back

Visitor Management System CVE-2026-37748

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code