CVE-2026-13553
Received Received - Intake

Unrestricted File Upload in Online Hotel Management System

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown function of the file /admin/mod_amenities/controller.php?action=add. Executing a manipulation of the argument image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13553
EUVD
EUVD-2026-40064

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode online_hotel_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-13553 vulnerability affects the Online Hotel Management System version 1.0, specifically in the file /admin/mod_amenities/controller.php. It is an arbitrary file upload vulnerability that allows attackers to manipulate the 'image' argument to bypass file type detection by altering the 'Content-Type' and 'Content-Disposition' headers.

This manipulation enables attackers to upload malicious files, such as PHP scripts disguised as images, without authentication. Due to improper validation of uploaded files, attackers can execute arbitrary code on the server.

Impact Analysis

Exploiting this vulnerability can allow attackers to gain control over the affected server by executing arbitrary code. This can lead to unauthorized access, data theft, and the ability to launch further attacks from the compromised server.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious file uploads to the /admin/mod_amenities/controller.php?action=add endpoint, especially uploads that manipulate the 'image' argument.

Since the exploit involves bypassing file type detection by manipulating HTTP headers such as 'Content-Type' and 'Content-Disposition', inspecting HTTP requests for unusual or inconsistent header values during file uploads can help identify attempts to exploit this flaw.

Commands to detect such activity might include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, for example:

  • tcpdump -A -s 0 'tcp port 80 and (((ip dst YOUR_SERVER_IP) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)))'
  • grep or awk commands on web server logs to find POST requests to /admin/mod_amenities/controller.php?action=add with suspicious file upload parameters.

Additionally, scanning the web server directories for recently uploaded files with suspicious extensions or PHP code disguised as images can help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include implementing strict validation of uploaded files by verifying the actual file content rather than relying solely on HTTP headers like 'Content-Type' and 'Content-Disposition'.

Enforce a whitelist of allowed file types and extensions to prevent arbitrary file uploads.

Store uploaded files outside of web-accessible directories to prevent direct execution.

Rename uploaded files to unpredictable names to avoid path guessing.

Additionally, monitor and restrict access to the vulnerable endpoint and consider applying patches or updates from the vendor if available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13553. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart