CVE-2021-36622

CRITICAL

Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload via Admin Profile Photo

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-36622. PoCs published by faisalfs10x.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated arbitrary file upload vulnerability in the Online Covid Vaccination Scheduler System 1.0, allowing remote code execution via a malicious PHP file upload. The PoC includes a reverse shell payload for Windows targets.

Description

Sourcecodester Online Covid Vaccination Scheduler System 1.0 is affected vulnerable to Arbitrary File Upload. The admin panel has an upload function of profile photo accessible at http://localhost/scheduler/admin/?page=user. An attacker could upload a malicious file such as shell.php with the Content-Type: image/png. Then, the attacker have to visit the uploaded profile photo to access the shell.

Exploits (1)

exploitdb WORKING POC
by faisalfs10x · pythonwebappsphp
https://www.exploit-db.com/exploits/50114

This exploit demonstrates an unauthenticated arbitrary file upload vulnerability in the Online Covid Vaccination Scheduler System 1.0, allowing remote code execution via a malicious PHP file upload. The PoC includes a reverse shell payload for Windows targets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Online Covid Vaccination Scheduler System 1.0
No auth needed
Prerequisites: Access to the target web server · Network connectivity to the attacker's machine for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/50114

Scores

CVSS v3 9.8
EPSS 0.0187
EPSS Percentile 76.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
online_covid_vaccination_scheduler_system_project/online_covid_vaccination_scheduler_system 1.0
Published Aug 03, 2021
Tracked Since Feb 18, 2026