CVE-2026-7732
Unrestricted File Upload in BloodBank Managing System 1.0
Publication date: 2026-05-04
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | bloodbank_managing_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized remote code execution on the server hosting the BloodBank Managing System.
- An attacker can upload and execute malicious PHP scripts, potentially gaining control over the server.
- This can lead to data theft, data manipulation, or disruption of the blood bank management services.
- The attacker can maintain persistence by uploading files that remain even if database operations fail.
Can you explain this vulnerability to me?
CVE-2026-7732 is an arbitrary file upload vulnerability in the BloodBank Managing System 1.0, specifically in the request_blood.php file. This vulnerability allows an attacker to upload files without proper validation of file extensions, MIME types, or content.
Because the upload directory is web-accessible, an attacker can upload malicious PHP files and execute them remotely by accessing a predictable URL. This leads to Remote Code Execution (RCE), meaning the attacker can run arbitrary code on the server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of arbitrary file uploads in the web-accessible upload directory, specifically the request_image/ directory. Since the system allows uploading PHP files without validation, you can look for suspicious PHP files with random three-digit prefixes in that directory.
You can also monitor HTTP requests to the request_blood.php file for POST requests that include file uploads, especially those that attempt to upload PHP files.
- Use commands to list suspicious files in the upload directory, for example: ls -l /path/to/request_image/*.php
- Check web server logs for POST requests to request_blood.php that include file uploads: grep 'POST /request_blood.php' /var/log/apache2/access.log
- Search for recently modified or created PHP files in the upload directory: find /path/to/request_image/ -name '*.php' -mtime -7
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting file uploads through request_blood.php until a proper fix is applied.
Implement server-side validation to restrict file uploads to only allowed file types and verify MIME types and file contents.
Restrict access to the upload directory (request_image/) to prevent execution of uploaded files, for example by disabling PHP execution in that directory via web server configuration.
Remove any suspicious or unauthorized PHP files from the upload directory.
Monitor logs for any suspicious upload attempts and consider applying web application firewall (WAF) rules to block malicious upload requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the BloodBank Managing System allows arbitrary file uploads leading to remote code execution. This can result in unauthorized access or manipulation of sensitive data, potentially compromising confidentiality, integrity, and availability of personal health information.
Such a security flaw can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and health-related data from unauthorized access and breaches.
Specifically, the ability for an attacker to execute arbitrary code remotely could lead to data breaches or unauthorized data disclosure, violating data protection requirements and potentially resulting in legal and financial consequences.