CVE-2026-11344
Deferred Deferred - Pending Action
Unrestricted File Upload in Vehicle Management System

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulDB

Description
A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-11344
EUVD
EUVD-2026-34865
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects vehicle_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated remote code execution through unrestricted file upload, leading to full system compromise with the privileges of the web server process.

Such a compromise could lead to unauthorized access, modification, or disclosure of sensitive personal or health data managed by the Vehicle Management System.

This exposure can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and health information against unauthorized access and breaches.

Executive Summary

CVE-2026-11344 is a critical vulnerability in the Vehicle Management System In PHP V1.0 by code-projects.org. It exists in the newdriver.php and newvehicle.php endpoints, which lack session validation and file type restrictions.

An attacker can remotely and without authentication upload a malicious PHP webshell file through the photo upload field. This unrestricted file upload allows the attacker to execute arbitrary operating system commands on the server.

The uploaded malicious file is saved in the /picture/ directory, enabling full system compromise with the privileges of the web server process.

Impact Analysis

This vulnerability can lead to a complete compromise of the affected server. An attacker can execute arbitrary commands remotely without any authentication or user interaction.

  • Full system compromise with the privileges of the web server process.
  • Potential unauthorized access to sensitive data stored on the server.
  • Possibility of further attacks such as data theft, data manipulation, or using the server as a pivot point for attacks on other systems.
Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to the endpoints newdriver.php and newvehicle.php, which allow unrestricted file uploads.

One way to detect exploitation attempts is to look for suspicious PHP files uploaded in the /picture/ directory, especially webshells.

  • Use network scanning or web application scanning tools to identify if newdriver.php and newvehicle.php are accessible without authentication.
  • On the server, run commands to list recently uploaded files in the /picture/ directory, for example: ls -l /path/to/picture/ | grep ".php"
  • Check web server logs for POST requests to newdriver.php or newvehicle.php that include file uploads.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints newdriver.php and newvehicle.php to authenticated users only.

Implement strict file upload validation to restrict file types and prevent uploading executable files such as PHP scripts.

Monitor and remove any suspicious files found in the /picture/ directory.

If possible, temporarily disable the file upload functionality until a patch or official fix is available from the vendor.

Review web server permissions to limit the ability of uploaded files to be executed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart