MEDIUM 5.4

CVE-2026-36722: Bookcars v8.3 Authenticated File Upload RCE Vulnerability

Bookcars v8.3 contains a file upload vulnerability in its car image creation API that allows authenticated users to upload specially crafted files and potentially execute arbitrary code on the server. An attacker with valid credentials can exploit this weakness to compromise the application and potentially gain control of the underlying system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36722 is an authenticated arbitrary file upload vulnerability affecting the /api/create-car-image endpoint in bookcars v8.3. The vulnerability stems from insufficient validation of uploaded files, allowing attackers who have valid authentication credentials to bypass file type restrictions and upload malicious payloads. Successful exploitation can lead to arbitrary code execution on the server. The CVSS 3.1 score of 5.4 (MEDIUM) reflects the requirement for prior authentication and the integrity and confidentiality impact, though availability is not directly affected.

Business impact

While this vulnerability requires valid authentication to exploit, it represents a significant insider threat or post-compromise risk. If an attacker gains credentials through phishing, credential stuffing, or social engineering, they can upload malicious files to execute code on your bookcars infrastructure. For car rental or booking platforms, this could lead to data theft (customer information, payment details), service disruption, reputational damage, and potential regulatory compliance violations depending on stored data sensitivity.

Affected systems

Bookcars v8.3 is affected. Organizations running this specific version should prioritize assessment. Verify whether your deployment uses v8.3 and check with the Bookcars project for patch availability and guidance on newer versions.

Exploitability

This vulnerability requires valid authentication, which significantly limits opportunistic exploitation from the internet. However, the attack surface is wider in environments where credentials are shared, weak, or compromised. Given that file uploads are typically user-facing features in booking applications, the attack path is straightforward once authenticated. The vulnerability is not currently tracked in the CISA KEV catalog, indicating limited evidence of active exploitation at the time of publication.

Remediation

Immediately update bookcars to a patched version if available from the project maintainers. If no patch exists, implement strict file upload controls: enforce allowlisting of file types (whitelist only necessary image formats), store uploads outside the web root, disable script execution in upload directories, and validate file content headers independent of file extensions. Consider restricting upload functionality to trusted roles only and implementing virus scanning on all uploaded files.

Patch guidance

Check the Bookcars project repository and official security advisories for patch availability. Update to the latest stable release that addresses CVE-2026-36722. Verify the patch by testing file uploads with intentionally malicious payloads in a controlled environment before deploying to production. Document the patch date and version applied for compliance and audit purposes.

Detection guidance

Monitor API logs for unusual activity on the /api/create-car-image endpoint, particularly POST requests from unexpected user accounts or IP ranges. Look for file uploads with suspicious MIME types, executable extensions (.php, .jsp, .sh, .exe), or polyglot payloads. Enable web application firewall (WAF) rules to block uploads containing script signatures or executable code patterns. Implement integrity monitoring on the application directory to detect unauthorized file creation or modification.

Why prioritize this

Although assigned a MEDIUM severity score, prioritize this vulnerability because it directly enables code execution and affects an active application component. Authentication requirement reduces blast radius but increases insider threat concerns. Organizations with shared credentials, weak access controls, or high-value data in their bookcars deployment should treat this as higher priority. The lack of KEV listing does not diminish the need to patch promptly.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects: (1) network-based attack vector with low complexity, (2) requirement for valid authentication (PR:N resolved via user interaction), (3) limited impact to confidentiality and integrity, and (4) no direct availability impact. The score would be significantly higher without the authentication prerequisite. Organizations should supplement this with risk ratings accounting for credential exposure likelihood, data sensitivity, and operational criticality.

Frequently asked questions

Does this vulnerability affect all versions of Bookcars?

No, CVE-2026-36722 specifically affects Bookcars v8.3. Check your deployment version immediately. Verify patch status for v8.3 and determine whether your organization is on an affected version before escalating.

Can this be exploited without valid credentials?

No, this vulnerability requires prior authentication. An attacker must have valid user credentials to access the /api/create-car-image endpoint. However, if your environment uses weak passwords, shared credentials, or has had credential exposure, treat this as a higher-priority threat.

What happens if someone successfully exploits this?

Successful exploitation enables arbitrary code execution on your server with the privileges of the web application process. This could allow data theft, lateral movement within your infrastructure, malware installation, or complete system compromise depending on your security controls and server configuration.

Is there active exploitation of this vulnerability?

As of the published date, this vulnerability is not listed in the CISA KEV catalog, which typically indicates limited evidence of active exploitation. However, absence from the KEV catalog does not mean exploitation is impossible—only that it has not been widely observed or reported by security agencies.

This analysis is based on publicly available vulnerability data as of the publication date. Patch availability, version numbers, and exploit status may change. Organizations should verify all patch information directly against official Bookcars security advisories and vendor documentation. This assessment does not constitute professional security advice; conduct your own risk assessment based on your environment, threat model, and data sensitivity. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).