CVE-2026-13553 - Vulnerability Details

Description

A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown function of the file /admin/mod_amenities/controller.php?action=add. Executing a manipulation of the argument image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.

Published: 2026-06-29

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw was identified in itsourcecode Online Hotel Management System 1.0 within the controller.php file handling add actions. The vulnerability resides in an unknown function that processes the image argument, allowing an attacker to manipulate the value and cause an unrestricted upload. This weakness permits the placement of arbitrary files on the server and, if executable files are accepted, could lead to further compromise. The flaw is classified as CWE‑284 and CWE‑434.

Affected Systems

The affected product is itsourcecode Online Hotel Management System, version 1.0. Users running this version of the application are at risk, as the vulnerability exists in the admin module that manages amenities. There is no other version information provided, so all deployments of the 1.0 release should be considered vulnerable.

Risk and Exploitability

The CVSS score for the vulnerability is 6.9, indicating moderate severity. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. The description confirms that the attack can be launched remotely, and an exploit has been published. While the exact attack vector (authenticated vs. unauthenticated) is not detailed, the reference to a manipulation of the image argument suggests that the functionality is accessible through the web interface, potentially without user authentication. The risk is that attackers can upload malicious files to the server, compromising server integrity and confidentiality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

itsourcecode

Online Hotel Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Obtain and apply any vendor‑released patch that addresses CVE‑2026‑13553 as soon as it becomes available
Modify the file‑upload handler to validate MIME types and file extensions strictly, allowing only safe image formats such as .jpg, .png, and .gif
Configure the upload directory to be outside the web‑root or to be served with no execution permissions, and apply strict write permissions so that uploaded files cannot be executed

Generated by OpenCVE AI on June 29, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Hh-176/CVE/issues/4
https://itsourcecode.com/
https://vuldb.com/cve/CVE-2026-13553
https://vuldb.com/submit/843570
https://vuldb.com/vuln/374561
https://vuldb.com/vuln/374561/cti

History

Mon, 29 Jun 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in itsourcecode Online Hotel Management System 1.0. Affected is an unknown function of the file /admin/mod_amenities/controller.php?action=add. Executing a manipulation of the argument image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title		itsourcecode Online Hotel Management System controller.php add unrestricted upload
First Time appeared		Itsourcecode Itsourcecode online Hotel Management System
Weaknesses		CWE-284 CWE-434
CPEs		cpe:2.3:a:itsourcecode:online_hotel_management_system::::::::
Vendors & Products		Itsourcecode Itsourcecode online Hotel Management System
References		https://github.com/Hh-176/CVE/issues/4 https://itsourcecode.com/ https://vuldb.com/cve/CVE-2026-13553 https://vuldb.com/submit/843570 https://vuldb.com/vuln/374561 https://vuldb.com/vuln/374561/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Itsourcecode Online Hotel Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-29T09:00:11.093Z

Updated: 2026-06-29T09:00:11.093Z

Reserved: 2026-06-28T16:02:31.350Z

Link: CVE-2026-13553

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-29T11:30:05Z

Weaknesses

CWE-284
Improper Access Control
CWE-434
Unrestricted Upload of File with Dangerous Type

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object