CVE-2026-37748 - Vulnerability Analysis
HighCVSS: 7.2Last Updated: April 21, 2026
Visitor Management System - Unrestricted File Upload
Published: April 21, 2026Updated: April 21, 2026PoC AvailableRemote Exploitable
Overview
Visitor Management System 1.0 by sanjay1313 contains an unrestricted file upload caused by lack of MIME type, extension, or content validation in move_uploaded_file() in vms/php/admin_user_insert.php and vms/php/update_1.php, letting authenticated admin upload PHP webshells and execute remote code.
Severity & Score
Severity: High
CVSS Score: 7.2
Impact
Authenticated admins can upload malicious files to execute arbitrary code remotely, potentially compromising the entire server.
Mitigation
Update to the latest version with proper file validation or apply patches to validate MIME type, extension, and content before file upload.
References
Related Resources
Details
- CVE ID
- CVE-2026-37748
- Severity
- High
- CVSS Score
- 7.2
- Type
- unrestricted_file_upload
- Status
- unconfirmed
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H