CVE-2026-36723
HighCVSS 8.8Exploitation Probability (EPSS)
High risk78th percentile - higher than 78% of all known CVEs
Summary
Version 8.3 of the bookcars application contains an unrestricted file rename vulnerability in the /api/create-user component, allowing authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem.
Risk Assessment
This vulnerability enables unauthorized access to sensitive files, overwriting of critical application files, and remote code execution, posing a serious threat to the organization's security.
Recommendation
It is recommended to immediately update the bookcars application to the latest version to eliminate this vulnerability and implement additional security measures to prevent unauthorized access to the filesystem.
Original NVD description (English source)
An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).

