CVE-2026-11344
Deferred Deferred - Pending Action

Unrestricted File Upload in Vehicle Management System

Vulnerability report for CVE-2026-11344, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulDB

Description

A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-07-17
AI Q&A
2026-06-05
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects vehicle_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11344 is a critical vulnerability in the Vehicle Management System In PHP V1.0 by code-projects.org. It exists in the newdriver.php and newvehicle.php endpoints, which lack session validation and file type restrictions.

An attacker can remotely and without authentication upload a malicious PHP webshell file through the photo upload field. This unrestricted file upload allows the attacker to execute arbitrary operating system commands on the server.

The uploaded malicious file is saved in the /picture/ directory, enabling full system compromise with the privileges of the web server process.

Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to the endpoints newdriver.php and newvehicle.php, which allow unrestricted file uploads.

One way to detect exploitation attempts is to look for suspicious PHP files uploaded in the /picture/ directory, especially webshells.

  • Use network scanning or web application scanning tools to identify if newdriver.php and newvehicle.php are accessible without authentication.
  • On the server, run commands to list recently uploaded files in the /picture/ directory, for example: ls -l /path/to/picture/ | grep ".php"
  • Check web server logs for POST requests to newdriver.php or newvehicle.php that include file uploads.
Impact Analysis

This vulnerability can lead to a complete compromise of the affected server. An attacker can execute arbitrary commands remotely without any authentication or user interaction.

  • Full system compromise with the privileges of the web server process.
  • Potential unauthorized access to sensitive data stored on the server.
  • Possibility of further attacks such as data theft, data manipulation, or using the server as a pivot point for attacks on other systems.
Compliance Impact

The vulnerability allows unauthenticated remote code execution through unrestricted file upload, leading to full system compromise with the privileges of the web server process.

Such a compromise could lead to unauthorized access, modification, or disclosure of sensitive personal or health data managed by the Vehicle Management System.

This exposure can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and health information against unauthorized access and breaches.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints newdriver.php and newvehicle.php to authenticated users only.

Implement strict file upload validation to restrict file types and prevent uploading executable files such as PHP scripts.

Monitor and remove any suspicious files found in the /picture/ directory.

If possible, temporarily disable the file upload functionality until a patch or official fix is available from the vendor.

Review web server permissions to limit the ability of uploaded files to be executed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart