CVE-2026-37748

Published: Apr 21, 2026

Modified: Apr 21, 2026

PUBLISHED

Description

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php. The move_uploaded_file() function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell and achieve Remote Code Execution on the server.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/sanjay1313/Visitor-Management-System

https://github.com/menevarad007/CVE-2026-37748

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-37748

Description

Affected Products

References