Description
A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Patch
AI Analysis

Impact

The vulnerability exists in the Online Lot Reservation System 1.0 within the file /activity.php. An attacker can manipulate the directory argument to bypass the upload restrictions, resulting in unrestricted file uploads. This flaw maps to CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-284 (Improper Access Control). An attacker could upload arbitrary files, including executable code or malicious scripts, into directories accessible via the web server. Depending on the server configuration, this could lead to remote code execution, data tampering, or disclosure of sensitive information. (These potential outcomes are inferred from the nature of the upload flaw and are not explicitly stated in the CVE description.)

Affected Systems

The vulnerability affects code-projects Online Lot Reservation System version 1.0. The vulnerable component is the activity.php script which handles file uploads. The specific function responsible for directory validation has not been identified in the public disclosures, but the flaw exists in this version.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium impact. EPSS score is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the KEV catalog. Attack can be carried out remotely by sending crafted requests that modify the directory parameter to upload files to arbitrary locations. Because the upload restrictions are bypassed, attackers can place malicious files in the web root, with potential for code execution if the web server permits. (The specific code execution path is inferred and not explicitly confirmed.) The public disclosure and lack of patch information increases the risk that attackers might exploit this weakness.

Generated by OpenCVE AI on April 28, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or upgrade to a version of the Online Lot Reservation System that addresses file upload validation.
  • If a patch is unavailable, restrict the file upload functionality by allowing only specific file types (e.g., .jpg, .png) and disallowing execution of uploaded files; place uploads in a directory outside the web root and enforce server-side checks on the directory path.
  • Implement server-side validation to ensure that the directory argument cannot be manipulated to reference unintended paths; enforce strict path sanitization and reject any upload requests that contain path traversal sequences.
  • Deploy a web application firewall or intrusion detection system tuned to block suspicious file upload patterns and log any attempts to upload non-allowed file types.

Generated by OpenCVE AI on April 28, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Lot Reservation System
Vendors & Products Code-projects
Code-projects online Lot Reservation System

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Title code-projects Online Lot Reservation System activity.php unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Lot Reservation System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T13:52:54.655Z

Reserved: 2026-04-26T19:21:02.542Z

Link: CVE-2026-7133

cve-icon Vulnrichment

Updated: 2026-04-29T13:52:48.489Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T15:16:21.773

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses