CVE-2026-37748
Awaiting Analysis Awaiting Analysis - Queue

Unrestricted File Upload in Visitor Management System Enables RCE

Vulnerability report for CVE-2026-37748, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-21

Last updated on: 2026-04-22

Assigner: MITRE

Description

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell and achieve Remote Code Execution on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-21
Last Modified
2026-04-22
Generated
2026-07-06
AI Q&A
2026-04-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sanjay1313 visitor_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-37748 is an Unrestricted File Upload vulnerability in Visitor Management System 1.0 by sanjay1313. The vulnerability exists because the PHP function move_uploaded_file() is used in the files vms/php/admin_user_insert.php and vms/php/update_1.php without validating the MIME type, file extension, or file content of the uploaded files.

This lack of validation allows an authenticated admin user to upload a malicious PHP webshell disguised as an image file. The uploaded file is moved directly to the ../images/ directory using the original filename without any checks, enabling the attacker to execute arbitrary code on the server remotely.

Impact Analysis

This vulnerability can lead to full Remote Code Execution (RCE) on the server as the web server user. An attacker who is an authenticated admin can upload a malicious PHP webshell and execute arbitrary commands on the server.

The impact includes complete server compromise, potential data exfiltration of visitor records, and the possibility of lateral movement within the server network, which can further escalate the attack.

Detection Guidance

This vulnerability can be detected by checking for the presence of unauthorized PHP files in the images directory, which is intended for image uploads only. Since the vulnerability allows an authenticated admin to upload PHP webshells, scanning the ../images/ directory for .php files is a key detection step.

You can use commands to find suspicious PHP files in the upload directory, for example:

  • find /path/to/vms/images -type f -name '*.php'
  • grep -r '<?php' /path/to/vms/images

Additionally, monitoring web server logs for unusual requests to PHP files in the images directory, such as requests with query parameters (e.g., ?cmd=), can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include implementing strict validation on uploaded files to prevent uploading of malicious PHP files.

  • Validate the file extension against an allowed list such as jpg, jpeg, png, and gif.
  • Validate the MIME type of the uploaded file using PHP's finfo_file() function to ensure it matches allowed image MIME types (image/jpeg, image/png, image/gif).
  • Rename uploaded files to unique names to prevent overwriting and guessing of file names.

Example remediation code includes checking extensions and MIME types before moving the uploaded file, as well as renaming the file to a unique name.

Also, restrict upload permissions to authenticated and authorized users only, and consider disabling file execution in the upload directory via web server configuration.

Compliance Impact

This vulnerability allows an authenticated admin to upload a malicious PHP webshell, leading to Remote Code Execution (RCE) on the server. Such a compromise can result in unauthorized access to sensitive data, including visitor records stored in the system.

The potential for data exfiltration and full server compromise poses significant risks to compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Failure to mitigate this vulnerability could lead to violations of these standards due to inadequate protection of data confidentiality, integrity, and availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart