Description
A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing a manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.
Published: 2026-01-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Apply Patch
AI Analysis

Impact

The vulnerability involves an unrestricted file upload endpoint in the prod.php script of the Online Product Reservation System 1.0. An attacker may upload arbitrary files without restriction, potentially including executable or web‑shell payloads. Based on the description, the upload functionality can be accessed remotely, so an attacker could trigger the upload from an external network. However, the CVE description does not explicitly state that uploaded files are executed, so the potential for remote code execution remains an inferred possibility rather than a documented outcome.

Affected Systems

The affected product is code-projects Online Product Reservation System version 1.0. The corresponding CPE identifier fabian:online_product_reservation_system:1.0 confirms the specific build at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the public exploit and remote nature of the upload endpoint suggest that a determined attacker could leverage this flaw, especially if the application is exposed to untrusted users.

Generated by OpenCVE AI on April 18, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict uploads to a whitelist of safe file extensions and enforce server‑side MIME type checks to mitigate the unrestricted upload weakness (CWE‑434).
  • Require proper authentication and authorization before allowing file uploads to address the access control weakness (CWE‑284).
  • If the prod.php endpoint is unnecessary for business operations, disable or remove it; otherwise, configure the upload directory with non‑executable permissions and monitor for unexpected files.
  • Keep the application updated and install any vendor release or patch that addresses this vulnerability as soon as it becomes available.

Generated by OpenCVE AI on April 18, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing a manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.

Fri, 09 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Product Reservation System
CPEs cpe:2.3:a:fabian:online_product_reservation_system:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Product Reservation System

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Product Reservation System
Vendors & Products Code-projects
Code-projects online Product Reservation System

Sun, 04 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title code-projects Online Product Reservation System prod.php unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Product Reservation System
Fabian Online Product Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:12:08.936Z

Reserved: 2026-01-03T16:01:46.499Z

Link: CVE-2026-0577

cve-icon Vulnrichment

Updated: 2026-01-06T19:43:51.315Z

cve-icon NVD

Status : Modified

Published: 2026-01-04T10:15:41.177

Modified: 2026-02-23T09:16:32.653

Link: CVE-2026-0577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses