CVE-2026-36723

HIGH

bookcars 8.3 - Authenticated Unrestricted File Rename and Directory Traversal via /api/create-user

Title source: llm

Description

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE).

References (1)

Core 1

Core References

https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-17

Scores

CVSS v3 8.8

EPSS 0.0100

EPSS Percentile 58.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Published Jun 09, 2026

Tracked Since Jun 10, 2026