CVE-2026-36722
Description
BookCars v8.3 has an arbitrary file upload vulnerability in /api/create-car-image, allowing code execution via crafted files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BookCars v8.3 has an arbitrary file upload vulnerability in /api/create-car-image, allowing code execution via crafted files.
Vulnerability
An unrestricted file upload vulnerability exists in BookCars versions up to and including v8.3. The /api/create-car-image component, specifically within the /backend/src/routes/userRoutes.ts and /backend/src/controllers/userController.ts files, allows uploaded files to be stored without proper validation of file type or content. While the application generates a safe filename, it fails to validate the file extension or the actual content type of uploaded files [1].
Exploitation
Attackers can exploit this vulnerability by uploading a crafted file. The application only generates a safe filename but does not validate the file extension or content type. This allows for the upload of arbitrary file types, such as HTML files containing malicious JavaScript, which can then be executed when accessed through the CDN directory [1].
Impact
Successful exploitation of this vulnerability can lead to stored Cross-Site Scripting (XSS) attacks. When an attacker uploads a malicious file containing JavaScript, it will be executed when accessed via the CDN directory. This could result in the compromise of user sessions or the execution of arbitrary actions within the context of the victim's browser [1].
Mitigation
To mitigate this vulnerability, it is recommended to implement a strict whitelist of allowed file extensions, validate file content using magic bytes verification, enforce proper Content-Type and Content-Disposition headers when serving uploaded files, apply CSP policies to CDN directories, and sanitize or reject files that may contain executable code. The specific fixed version and release date are not yet disclosed in the available references [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to validate uploaded file types, allowing arbitrary file uploads."
Attack vector
An authenticated attacker can exploit this vulnerability by uploading a crafted HTML file containing malicious JavaScript to the `/api/create-car-image` endpoint. The application generates a safe filename but does not validate the file extension or content. When this file is accessed through the CDN directory, the embedded JavaScript will execute, leading to a stored Cross-Site Scripting (XSS) attack [ref_id=1].
Affected code
The vulnerability resides in the /api/create-car-image component, specifically within the backend code located at `/backend/src/routes/userRoutes.ts` and `/backend/src/controllers/userController.ts`. The code handles file uploads without performing adequate validation on the file's extension or content [ref_id=1].
What the fix does
The advisory recommends implementing a strict whitelist of allowed file extensions, validating file content using magic bytes verification, and enforcing proper Content-Type and Content-Disposition headers. Additionally, applying CSP policies to CDN directories and sanitizing or rejecting files with executable code are suggested mitigations. The patch does not show these changes, and the advisory does not specify a version with a fix.
Preconditions
- authThe attacker must be authenticated.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.