CVE-2026-15539
Received Received - Intake

Unrestricted File Upload in Online Book Store System 1.0

Vulnerability report for CVE-2026-15539, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester online_book_store_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15539 is a critical authenticated Remote Code Execution (RCE) vulnerability in the Book Management module of the Online Book Store application. It arises from an unrestricted file upload feature that allows authenticated administrators to upload arbitrary PHP files without proper validation of file types, extensions, or executable content.

Because uploaded files are stored in a web-accessible directory and PHP execution is permitted, an attacker can upload a malicious PHP web shell and execute arbitrary operating system commands with the privileges of the web server process.

This vulnerability exists due to inadequate file validation, lack of MIME type and magic byte checks, and storing executable files in a web-accessible directory.

Compliance Impact

The vulnerability allows authenticated administrators to upload arbitrary executable files, leading to potential full compromise of the web application and server. This can result in unauthorized access to sensitive data, including reading sensitive files and accessing database credentials.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access and breaches.

Failure to remediate this vulnerability could lead to violations of these regulations due to exposure or compromise of protected data.

Impact Analysis

Successful exploitation of this vulnerability can lead to complete compromise of the web application and potentially the entire server.

  • Reading sensitive files
  • Accessing database credentials
  • Modifying source code
  • Installing backdoors
  • Executing arbitrary operating system commands with web server privileges

The severity depends on the hosting environment and system privileges but can result in full server takeover.

Detection Guidance

This vulnerability can be detected by checking for the presence of unauthorized or suspicious PHP files uploaded via the Book Image Upload feature in the /admin/index.php?page=books component. Since the vulnerability allows authenticated users to upload arbitrary PHP files, scanning the upload directory for executable PHP files is a key detection method.

Commands to detect potential exploitation include searching for PHP files in the upload directory and checking web server logs for suspicious upload activity or execution of unusual commands.

  • Find PHP files in the upload directory (example path): find /path/to/uploads -type f -name '*.php'
  • Check web server access logs for suspicious requests to upload or execute files: grep 'index.php?page=books' /var/log/apache2/access.log | grep -i 'upload\|php'
  • Look for web shells by searching for common PHP web shell signatures: grep -r '<?php system' /path/to/uploads
Mitigation Strategies

Immediate mitigation steps include restricting file uploads to approved image formats only and validating MIME types and file signatures to prevent executable files from being uploaded.

Additional important actions are to rename uploaded files with random identifiers, store uploaded files outside the web root directory, and disable PHP execution in the uploads directory to prevent execution of malicious code.

Implement allow-list validation, content inspection, least-privilege permissions on upload directories, and enable logging and monitoring of upload activities to detect and prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart