Description
A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used.
Published: 2026-06-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw exists in the Vehicle Management System’s New Driver Registration page, where the photo upload field is not validated. An attacker can supply any file type, including server‑side scripts, enabling them to execute arbitrary code on the host. The weakness demonstrates lack of proper access control (CWE‑284) and unrestricted file upload (CWE‑434).

Affected Systems

The vulnerability is present in code‑projects Vehicle Management System 1.0, affecting the newdriver.php component used for adding drivers.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is unavailable, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is remote; an attacker can trigger the flaw by sending a crafted request to the public newdriver.php endpoint. Since the upload is unrestricted, the attacker can place a malicious script on the server, leading to remote code execution and full compromise of the system’s confidentiality, integrity, and availability.

Generated by OpenCVE AI on June 5, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a version of Vehicle Management System that implements proper upload validation or apply a vendor-provided patch if available.
  • Implement server‑side checks to allow only image MIME types and extensions, hash the uploads, and store them outside the web root to prevent direct execution.
  • Enforce strict size limits on uploaded files and sanitize file names to prevent directory traversal or other injection attacks.
  • If no patch is available, temporarily disable the new driver registration form or restrict access to trusted users until a fix is applied.

Generated by OpenCVE AI on June 5, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used.
Title code-projects Vehicle Management System New Driver Registration Form newdriver.php unrestricted upload
First Time appeared Code-projects
Code-projects vehicle Management System
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:code-projects:vehicle_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects vehicle Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Vehicle Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-05T17:15:10.282Z

Reserved: 2026-06-05T08:22:17.289Z

Link: CVE-2026-11344

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T18:17:04.927

Modified: 2026-06-05T19:02:13.790

Link: CVE-2026-11344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:45:06Z

Weaknesses