CVE-2021-46076

HIGH

Sourcecodester Vehicle Service Management System 1.0 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-46076. PoCs published by sanupl, plsanu.

AI-analyzed exploit summary The repository provides a detailed proof-of-concept for CVE-2021-46076, demonstrating multiple file upload vulnerabilities in Sourcecodester Vehicle Service Management System 1.0 that lead to remote code execution (RCE). The exploit involves uploading a malicious PHP file via various endpoints and executing system commands through a crafted URL.

Description

Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.

Exploits (3)

nomisec WORKING POC 1 stars

by sanupl · poc

https://github.com/sanupl/CVE-2021-46076

View Code ZIP pw:eip

The repository provides a detailed proof-of-concept for CVE-2021-46076, demonstrating multiple file upload vulnerabilities in Sourcecodester Vehicle Service Management System 1.0 that lead to remote code execution (RCE). The exploit involves uploading a malicious PHP file via various endpoints and executing system commands through a crafted URL.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sourcecodester Vehicle Service Management System 1.0

Auth required

Prerequisites: admin access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by sanupl · poc

https://github.com/sanupl/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Code-Execution

View Code ZIP pw:eip

The repository provides a detailed exploit for CVE-2021-46076, demonstrating multiple file upload vulnerabilities in the Vehicle Service Management System 1.0 that lead to remote code execution (RCE). The exploit involves uploading a malicious PHP file through various endpoints and executing system commands via a crafted URL.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sourcecodester Vehicle Service Management System 1.0

Auth required

Prerequisites: admin access to the target system · ability to upload files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by plsanu · poc

https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Code-Execution

View Code ZIP pw:eip

This PoC demonstrates multiple file upload vulnerabilities in Vehicle Service Management System 1.0, allowing an attacker to upload malicious PHP files and achieve remote code execution via crafted payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Sourcecodester Vehicle Service Management System 1.0

Auth required

Prerequisites: Admin access to the target application · Ability to upload files via the admin panel

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.plsanu.com/vehicle-service-management-system-multiple-file-upload-leads-to-code-execution

Exploit, Third Party Advisory x_refsource_misc

https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Code-Execution

Scores

CVSS v3 8.8

EPSS 0.0331

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

vehicle_service_management_system_project/vehicle_service_management_system 1.0

Published Jan 06, 2022

Tracked Since Feb 18, 2026