CVE-2026-11344
Unrestricted File Upload in Vehicle Management System
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | vehicle_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution through unrestricted file upload, leading to full system compromise with the privileges of the web server process.
Such a compromise could lead to unauthorized access, modification, or disclosure of sensitive personal or health data managed by the Vehicle Management System.
This exposure can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and health information against unauthorized access and breaches.
Can you explain this vulnerability to me?
CVE-2026-11344 is a critical vulnerability in the Vehicle Management System In PHP V1.0 by code-projects.org. It exists in the newdriver.php and newvehicle.php endpoints, which lack session validation and file type restrictions.
An attacker can remotely and without authentication upload a malicious PHP webshell file through the photo upload field. This unrestricted file upload allows the attacker to execute arbitrary operating system commands on the server.
The uploaded malicious file is saved in the /picture/ directory, enabling full system compromise with the privileges of the web server process.
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of the affected server. An attacker can execute arbitrary commands remotely without any authentication or user interaction.
- Full system compromise with the privileges of the web server process.
- Potential unauthorized access to sensitive data stored on the server.
- Possibility of further attacks such as data theft, data manipulation, or using the server as a pivot point for attacks on other systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthenticated access to the endpoints newdriver.php and newvehicle.php, which allow unrestricted file uploads.
One way to detect exploitation attempts is to look for suspicious PHP files uploaded in the /picture/ directory, especially webshells.
- Use network scanning or web application scanning tools to identify if newdriver.php and newvehicle.php are accessible without authentication.
- On the server, run commands to list recently uploaded files in the /picture/ directory, for example: ls -l /path/to/picture/ | grep ".php"
- Check web server logs for POST requests to newdriver.php or newvehicle.php that include file uploads.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoints newdriver.php and newvehicle.php to authenticated users only.
Implement strict file upload validation to restrict file types and prevent uploading executable files such as PHP scripts.
Monitor and remove any suspicious files found in the /picture/ directory.
If possible, temporarily disable the file upload functionality until a patch or official fix is available from the vendor.
Review web server permissions to limit the ability of uploaded files to be executed.