CVE-2026-36722
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36722
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bookcars bookcars 8.3
bookcars bookcars to 8.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-36722 is an authenticated arbitrary file upload vulnerability in the BookCars software up to version 8.3. It occurs in the /api/create-car-image component, allowing attackers to upload crafted files without proper validation.

The vulnerability arises because the application does not properly check the file extensions or verify the actual content type of uploaded files. Although it generates a safe filename, it does not prevent dangerous file types like HTML or SVG from being uploaded.

Attackers can exploit this by uploading malicious files containing executable code, such as HTML files with embedded JavaScript, which can then be executed when accessed through the CDN directory. This can lead to stored Cross-Site Scripting (XSS) attacks.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary code on the system by uploading malicious files. Specifically, it can lead to stored Cross-Site Scripting (XSS) attacks when malicious scripts embedded in uploaded files are executed by users accessing those files.

Such attacks can compromise user data, hijack user sessions, deface websites, or perform other malicious actions that undermine the security and integrity of the affected application.

Detection Guidance

This vulnerability involves unrestricted file uploads to the /api/create-license endpoint, allowing arbitrary file types to be uploaded without proper validation.

To detect exploitation attempts or presence of malicious files, you can check the CDN temporary directory for suspicious files with extensions like .html, .svg, or .xhtml that should not normally be uploaded.

Suggested commands include:

  • Listing files with suspicious extensions in the CDN directory: `find /path/to/cdn/temp/ -type f \( -name "*.html" -o -name "*.svg" -o -name "*.xhtml" \)`
  • Checking recent uploads timestamps: `ls -ltr /path/to/cdn/temp/`
  • Searching for files containing JavaScript code: `grep -ril "<script" /path/to/cdn/temp/`
  • Monitoring web server logs for requests to the /api/create-license endpoint to identify suspicious upload activity.
Mitigation Strategies

Immediate mitigation steps include implementing strict validation and restrictions on file uploads to the /api/create-license endpoint.

  • Enforce a whitelist of allowed file extensions to prevent uploading dangerous file types like .html, .svg, or .xhtml.
  • Validate the actual content of uploaded files using magic bytes verification to ensure the file content matches the expected type.
  • Set proper Content-Type and Content-Disposition headers when serving files from the CDN directory.
  • Apply Content Security Policy (CSP) policies to the CDN directories to restrict execution of malicious scripts.
  • Sanitize or reject files that may contain executable code before storing them.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart