CVE-2026-26699 - Vulnerability Details

- Arbitrary Code Execution via Admin Photo Upload in Personnel Property Equipment System

Description

sourcecodester Personnel Property Equipment System v1.0 is vulnerable to arbitrary code execution in ip/ppes/admin/admin_change_picture.php.

Published: 2026-03-02

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Vulnerability allows an attacker to supply crafted input to the PHP script that handles image uploads in the admin change picture page, leading to arbitrary code execution on the server. The flaw is a classic code injection issue (CWE-94). An attacker who can trigger the upload function could run commands with the privileges of the web application process, compromising confidentiality, integrity, and availability of the entire system.

Affected Systems

Personnel Property Equipment System version 1.0, released by the vendor identified in the CPE as jon-remus-sevellejo. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity; however, the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. Externally accessible, the impacted endpoint accepts HTTP requests, so a remote attacker reasonably could exploit the flaw by sending a specially crafted file upload to the admin_change_picture.php endpoint, provided the attacker has network access to the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:jon-remus-sevellejo:personnel_property_equipment_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Sourcecodester

Personnel Property Equipment System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch or upgrade to the latest released version that addresses the image upload flaw
If a patch or newer version is unavailable, restrict access to admin_change_picture.php to authorized administrators or disable the endpoint entirely
Configure robust input validation on file uploads and reject any files that contain executable code or unexpected content, and consider deploying a web application firewall rule to block injection attempts

Generated by OpenCVE AI on April 16, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/personel-property-equipment-system/RCE-1.md

History

Thu, 16 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Title		Arbitrary Code Execution via Admin Photo Upload in Personnel Property Equipment System

Wed, 04 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 04 Mar 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester personnel Property Equipment System
Vendors & Products		Sourcecodester Sourcecodester personnel Property Equipment System

Tue, 03 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jon-remus-sevellejo Jon-remus-sevellejo personnel Property Equipment System
CPEs		cpe:2.3:a:jon-remus-sevellejo:personnel_property_equipment_system:1.0:::::::*
Vendors & Products		Jon-remus-sevellejo Jon-remus-sevellejo personnel Property Equipment System

Mon, 02 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		sourcecodester Personnel Property Equipment System v1.0 is vulnerable to arbitrary code execution in ip/ppes/admin/admin_change_picture.php.
References		https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/personel-property-equipment-system/RCE-1.md

Subscriptions

Jon-remus-sevellejo Personnel Property Equipment System

Sourcecodester Personnel Property Equipment System

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-02T00:00:00.000Z

Updated: 2026-03-04T17:39:35.421Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26699

Vulnrichment

Updated: 2026-03-02T15:55:53.044Z

NVD

Status : Modified

Published: 2026-03-02T16:16:25.250

Modified: 2026-03-04T18:16:28.997

Link: CVE-2026-26699

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T15:00:14Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object