HIGH 7.3

CVE-2026-11344: Unrestricted File Upload in code-projects Vehicle Management System 1.0

A file upload vulnerability exists in code-projects Vehicle Management System version 1.0. An attacker can bypass upload restrictions by manipulating the photo parameter in the New Driver Registration Form, allowing them to upload arbitrary files to the server without authentication. This can lead to remote code execution or other system compromise. Public exploit code is available, making active exploitation likely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-284, CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11344 affects the newdriver.php component in code-projects Vehicle Management System 1.0. The vulnerability stems from improper input validation on the photo parameter in the New Driver Registration Form handler. The flaw allows unrestricted file upload (CWE-434) due to insufficient access controls (CWE-284). An unauthenticated attacker can craft a request that manipulates the photo argument to bypass server-side upload validation, enabling arbitrary file placement on the web-accessible filesystem. The CVSS 3.1 score of 7.3 (HIGH) reflects network-based attack vector, low complexity, no privilege requirement, and impacts to confidentiality, integrity, and availability.

Business impact

Successful exploitation enables attackers to upload and execute malicious files on affected systems. Risk includes data theft from driver records, system compromise for lateral movement into networks, website defacement, malware distribution, and potential ransomware staging. For organizations using this Vehicle Management System—particularly transportation, logistics, or ride-sharing operations—this creates a direct pathway to operational disruption and sensitive driver/vehicle data exposure. The public availability of exploit code elevates this from theoretical to immediate practical threat.

Affected systems

code-projects Vehicle Management System version 1.0 is affected. The vulnerability is present in the New Driver Registration Form (newdriver.php). Any deployment of this version accessible over a network is at risk. Verify your organization's deployment version and whether this component is exposed to untrusted networks or the internet.

Exploitability

This vulnerability is highly exploitable. Attack complexity is low, no authentication is required, and exploitation can be performed entirely remotely over the network. The public disclosure of exploit code and the straightforward nature of file upload attacks mean this is likely being actively exploited in the wild. Organizations should treat this as an imminent threat if they operate affected instances.

Remediation

Immediate action is required. Options include: (1) upgrade code-projects Vehicle Management System to a patched version that addresses CWE-434 and CWE-284, or (2) if no patch is available, implement compensating controls such as restricting file upload functionality, moving upload directories outside the web root, validating file types and sizes strictly, implementing virus scanning on uploaded files, and restricting web server permissions to prevent execution of uploaded content. Consult the vendor's security advisory for version-specific guidance.

Patch guidance

Verify the latest patched version availability directly from code-projects. Until a patch is confirmed and tested, apply defense-in-depth measures: disable the New Driver Registration Form if not actively required, restrict network access to newdriver.php to trusted IP ranges, and implement web application firewall rules to block suspicious upload patterns. When a patch becomes available, prioritize testing and deployment given the HIGH severity and public exploit availability.

Detection guidance

Monitor for POST/PUT requests to newdriver.php with photo parameter manipulation. Look for uploads of suspicious file extensions (.php, .exe, .jsp, .sh, .py) in your web server upload directories. Correlate with logs showing web server child processes or unexpected script execution patterns. File integrity monitoring on upload directories can flag unauthorized file creation. Review web access logs for requests to newdriver.php originating from external sources, particularly those with unusual parameter encoding or multiple failed requests suggesting probing.

Why prioritize this

This merits urgent priority due to: (1) HIGH CVSS score (7.3) with direct impact to confidentiality, integrity, and availability; (2) remote, unauthenticated exploitation requiring no user interaction; (3) public exploit code availability increasing exploitation likelihood; (4) file upload vulnerabilities commonly serving as entry points for code execution and system takeover; (5) sensitivity of driver management systems for regulated industries. Organizations running version 1.0 should treat this as a critical business risk requiring immediate remediation.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) is justified by: Attack Vector: Network (maximum impact), Attack Complexity: Low (minimal attack requirements), Privileges Required: None (zero authentication), User Interaction: None (no social engineering needed), Scope: Unchanged, with partial impact to Confidentiality, Integrity, and Availability. This reflects an easily exploited vulnerability with significant real-world consequence. Combined with public exploit availability and the sensitive nature of driver/vehicle data, the practical risk exceeds the numerical score.

Frequently asked questions

Are we affected if we're not using the New Driver Registration Form?

Only if you have code-projects Vehicle Management System 1.0 deployed and newdriver.php is present and web-accessible. Even if the form is not actively used, the underlying file upload functionality in the component remains vulnerable. Verify your deployment inventory and confirm whether this component is disabled or removed entirely.

What if we can't patch immediately?

Implement layers of protection: (1) disable or remove newdriver.php if possible, (2) restrict HTTP access to it via firewall or WAF, (3) move the upload directory outside web-accessible paths, (4) enforce strict file type validation (whitelist), (5) disable script execution in upload directories via web server configuration (.htaccess, nginx, IIS settings), and (6) scan uploads with antivirus. These do not replace patching but reduce exploitation window.

How do we know if we've been compromised?

Review web server access logs for unusual POST/PUT activity to newdriver.php, check upload directories for unexpected files (especially with executable extensions), examine web server error logs for script execution errors, audit process logs for child processes spawned by the web server user, and review file integrity baselines. If compromise is suspected, isolate affected systems, preserve logs, and engage incident response.

Will upgrading the Vehicle Management System break our driver registration process?

That depends on the specific patch version available. Always test patches in a non-production environment first, verify that driver registration functionality works as expected, and confirm backward compatibility with your existing driver records. Contact code-projects support for migration guidance specific to your deployment.

This analysis is based on publicly available CVE data and vendor disclosures as of 2026-06-17. SEC.co does not provide guarantee of patch availability or timelines. Organizations must verify all patch information against official vendor advisories before deployment. This vulnerability description does not constitute legal advice, compliance guidance, or warranty of any kind. Consult with your internal security team, vendor support, and compliance stakeholders before making remediation decisions. Exploit code availability and exploitation timelines are subject to change; threat intelligence feeds should be monitored continuously for updates. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).