Description
Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Published: 2026-01-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Gotac Police Statistics Database System is an arbitrary file upload flaw that allows an unauthenticated attacker to place any file, including executable web shells, onto the server. This defect, classified as CWE-434, enables an attacker to execute arbitrary code with the privileges of the web application, potentially compromising the entire system, data, and surrounding network.

Affected Systems

This issue affects all deployments of the Gotac Police Statistics Database System running versions earlier than 1.0.3. The vendor has released an update (1.0.3 or later) that removes the unsafe upload functionality, so systems still on older versions are vulnerable.

Risk and Exploitability

Based on the description, it is inferred that the flaw can be exploited remotely over the web interface without authentication. An attacker who can reach the upload endpoint can upload a malicious file, leading to arbitrary code execution. The CVSS score of 9.3 indicates critical severity, while the EPSS score of less than 1% suggests a low exploitation probability. The vulnerability is not listed in the KEV catalog, but the potential impact remains high.

Generated by OpenCVE AI on April 18, 2026 at 05:50 UTC.

Remediation

Vendor Solution

Update to version 1.0.3 or later.

OpenCVE Recommended Actions

  • Upgrade the Police Statistics Database System to version 1.0.3 or later, which eliminates the arbitrary file upload flaw.
  • Until the update can be applied, disable or restrict the file upload functionality on the affected web endpoints to prevent unauthenticated file placement.
  • Implement strict server‑side validation to accept only approved file types and MIME types, reject executable extensions, and monitor the upload directory for unauthorized changes.
  • Deploy a Web Application Firewall rule set that blocks suspicious upload attempts and detects web shell execution patterns.

Generated by OpenCVE AI on April 18, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Gotac police Statistics Database System
CPEs cpe:2.3:a:gotac:police_statistics_database_system:*:*:*:*:*:*:*:*
Vendors & Products Gotac police Statistics Database System

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Gotac
Gotac statistical Database System
Vendors & Products Gotac
Gotac statistical Database System

Fri, 16 Jan 2026 03:15:00 +0000

Type Values Removed Values Added
Description Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Title Gotac|Police Statistics Database System - Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gotac Police Statistics Database System Statistical Database System
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-16T14:41:29.042Z

Reserved: 2026-01-16T02:00:24.357Z

Link: CVE-2026-1021

cve-icon Vulnrichment

Updated: 2026-01-16T14:41:26.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T03:16:18.817

Modified: 2026-01-23T20:24:35.707

Link: CVE-2026-1021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses