CVE-2026-0643
Unrestricted File Upload in House Rental 1.0 Signup Component
Publication date: 2026-01-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | house_rental_and_property_listing | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0643 is a critical vulnerability in projectworlds House Rental and Property Listing version 1.0, specifically in the Signup component's file /app/register.php?action=reg. The vulnerability arises from improper validation of the 'image' argument, allowing attackers to perform unrestricted file uploads. This means attackers can upload arbitrary files, including malicious scripts, without restrictions on file type, size, or content. The flaw enables remote exploitation without authentication, potentially allowing attackers to execute malicious code on the server and compromise the system. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing attackers to upload and execute malicious files on your server. This can lead to unauthorized system access, manipulation or theft of sensitive data, spreading malware, and causing service disruptions. The integrity, confidentiality, and availability of your system and data can be compromised. Since no authentication is required to exploit this flaw, it poses a high risk and can be exploited remotely with ease. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking for unauthorized or suspicious file uploads to the /app/register.php?action=reg endpoint, especially files with double extensions like .php.jpg or unusual file types. Monitoring web server logs for POST requests to this endpoint with file upload parameters can help. Additionally, scanning the upload directory for files with executable extensions or unexpected content is recommended. Commands such as 'grep "POST /app/register.php?action=reg" /var/log/apache2/access.log' to find upload attempts, and 'find /path/to/upload/directory -type f \( -name "*.php" -o -name "*.php.jpg" \)' to locate suspicious files can be used. Also, using tools like 'file' command to inspect uploaded files' MIME types can help detect disguised malicious files. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement strict file type verification by checking MIME types, file extensions, and inspecting file content to allow only safe image formats like .jpg and .png; 2) Enforce file size limits to prevent abuse; 3) Store uploaded files outside the web root directory to prevent direct execution; 4) Rename uploaded files with unique random names to avoid path traversal and collisions; 5) Conduct regular security audits of the file upload functionality and related code. If possible, consider replacing the affected product as no known countermeasures currently exist. [2, 1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to upload arbitrary and potentially malicious files without restriction, leading to unauthorized system access, data manipulation, and potential data breaches. Such security failures can compromise the confidentiality, integrity, and availability of sensitive data, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. Therefore, this vulnerability poses a significant risk to compliance with these regulations. [1, 2, 3]