CVE-2026-7134 - Vulnerability Details

- code-projects Online Lot Reservation System edithousepic.php unrestricted upload

Description

A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly available and might be used.

Published: 2026-04-27

Score: 5.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves an unrestricted file upload in the image argument of the edithousepic.php script of the Online Lot Reservation System. This flaw is a classic example of a CWE‑434 case, where the application accepts any file type without proper validation, and a CWE‑284 scenario, where insufficient access control allows arbitrary users to trigger the upload. An attacker can supply a malicious file (such as a PHP script) and place it in a writable web directory, enabling them to execute arbitrary code on the server. The impact therefore includes potential loss of confidentiality, integrity, and availability if a successful upload leads to remote code execution.

Affected Systems

The affected product is code‑projects Online Lot Reservation System, version 1.0. All installations that include the edithousepic.php file exposed to user input are susceptible, regardless of the operating system or deployment environment.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed remotely against any exposed instance, and the exploit is publicly available. Because the flaw allows arbitrary file placement within a web accessible directory, the risk to systems that host the application is considerably high if no mitigation is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Lot Reservation System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Online Lot Reservation System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Validate the MIME type and file signature of the uploaded image before saving; reject all non‑image files.
Enforce strict access control so that only authenticated and authorized users can invoke the upload functionality and modify user pictures.
Store uploaded files outside the web root or serve them through a controlled proxy to prevent direct execution of uploaded payloads.

Generated by OpenCVE AI on April 28, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/zzk6th/cve/issues/4
https://vuldb.com/submit/800983
https://vuldb.com/vuln/359733
https://vuldb.com/vuln/359733/cti

History

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects online Lot Reservation System
Vendors & Products		Code-projects Code-projects online Lot Reservation System

Mon, 27 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly available and might be used.
Title		code-projects Online Lot Reservation System edithousepic.php unrestricted upload
Weaknesses		CWE-284 CWE-434
References		https://code-projects.org/ https://github.com/zzk6th/cve/issues/4 https://vuldb.com/submit/800983 https://vuldb.com/vuln/359733 https://vuldb.com/vuln/359733/cti
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Lot Reservation System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T15:00:15.164Z

Updated: 2026-04-27T15:49:54.166Z

Reserved: 2026-04-26T19:21:05.747Z

Link: CVE-2026-7134

Vulnrichment

Updated: 2026-04-27T15:49:34.223Z

NVD

Status : Deferred

Published: 2026-04-27T16:16:46.543

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-7134

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T09:17:02Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object