Description
A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE.
Published: 2026-05-07
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the file upload functionality of CODEASTRO Membership Management System v1.0 enables attackers to upload malicious files due to lack of proper sanitization. By injecting executable content, an attacker can run arbitrary code on the web server, effectively gaining full control over the affected system. The impact is a complete compromise of confidentiality, integrity, and availability for the targeted installation.

Affected Systems

The affected product is the CODEASTRO Membership Management System, version 1.0, accessed via the /add_members.php endpoint. No other versions or vendors are listed as vulnerable.

Risk and Exploitability

The vulnerability presents a high risk because it permits remote code execution without authentication. Its exploitability is relatively straightforward—an attacker must submit a crafted file through the upload interface, a step that can be performed over a public web service. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of any mitigation provided by the vendor combined with the potential for uncontrollable code execution warrants a high threat rating.

Generated by OpenCVE AI on May 7, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the upload directory to a location outside the web root to prevent direct web access to uploaded files.
  • Validate uploaded files rigorously by checking MIME types, file extensions, and performing a thorough content scan to reject non‑image and non‑document files.
  • Configure the web server to disable execution of scripts in the upload directory and enforce strict file permissions.

Generated by OpenCVE AI on May 7, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Improper File Sanitization Allows Remote Code Execution via File Upload in CODEASTRO Membership Management System
First Time appeared Codeastro
Codeastro membership Management System
Weaknesses CWE-20
Vendors & Products Codeastro
Codeastro membership Management System

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE.
References

Subscriptions

Codeastro Membership Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T16:12:56.081Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36387

cve-icon Vulnrichment

Updated: 2026-05-07T16:12:52.062Z

cve-icon NVD

Status : Received

Published: 2026-05-07T16:16:19.013

Modified: 2026-05-07T17:15:58.600

Link: CVE-2026-36387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T16:30:15Z

Weaknesses