CVE Catalog

CVE-2026-36723

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
1.08%

78th percentile - higher than 78% of all known CVEs

Summary

Version 8.3 of the bookcars application contains an unrestricted file rename vulnerability in the /api/create-user component, allowing authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem.

Risk Assessment

This vulnerability enables unauthorized access to sensitive files, overwriting of critical application files, and remote code execution, posing a serious threat to the organization's security.

Recommendation

It is recommended to immediately update the bookcars application to the latest version to eliminate this vulnerability and implement additional security measures to prevent unauthorized access to the filesystem.

Original NVD description (English source)

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS