← Back
2026-03-09 3:32CVE-2026-3800VulDB
PUBLISHED5.2CWE-434CWE-284x_freeware

SourceCodester/janobe Resort Reservation System controller.php doInsert unrestricted upload

A vulnerability has been found in SourceCodester/janobe Resort Reservation System 1.0. Affected is the function doInsert of the file /controller.php?action=add. Such manipulation of the argument image leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Problem type

Affected products

SourceCodester

Resort Reservation System

1.0 - AFFECTED

janobe

Resort Reservation System

1.0 - AFFECTED

References

VDB-349767 | SourceCodester/janobe Resort Reservation System controller.php doInsert unrestricted upload

https://vuldb.com/?id.349767

vdb-entrytechnical-description
VDB-349767 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.349767

signaturepermissions-required
Submit #768978 | janobe Resort Reservation System 1.0 Unrestricted Upload

https://vuldb.com/?submit.768978

third-party-advisory
Submit #768998 | janobe Resort Reservation System 1.0 Unrestricted Upload (Duplicate)

https://vuldb.com/?submit.768998

third-party-advisory
github.com

https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Resort-Reservation-System---Unrestricted-Upload.md

exploit

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-3800
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-3800",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-03-09T03:32:12.090Z",
    "dateReserved": "2026-03-08T12:36:53.759Z",
    "datePublished": "2026-03-09T03:32:12.090Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-03-09T03:32:12.090Z"
      },
      "title": "SourceCodester/janobe Resort Reservation System controller.php doInsert unrestricted upload",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in SourceCodester/janobe Resort Reservation System 1.0. Affected is the function doInsert of the file /controller.php?action=add. Such manipulation of the argument image leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used."
        }
      ],
      "affected": [
        {
          "vendor": "SourceCodester",
          "product": "Resort Reservation System",
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        },
        {
          "vendor": "janobe",
          "product": "Resort Reservation System",
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Unrestricted Upload",
              "cweId": "CWE-434",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Access Controls",
              "cweId": "CWE-284",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.349767",
          "name": "VDB-349767 | SourceCodester/janobe Resort Reservation System controller.php doInsert unrestricted upload",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.349767",
          "name": "VDB-349767 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.768978",
          "name": "Submit #768978 | janobe Resort Reservation System 1.0 Unrestricted Upload",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.768998",
          "name": "Submit #768998 | janobe Resort Reservation System 1.0 Unrestricted Upload (Duplicate)",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Resort-Reservation-System---Unrestricted-Upload.md",
          "tags": [
            "exploit"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "baseScore": 6.5
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-03-08T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-03-08T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-03-08T13:41:58.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "webray.com.cn (VulDB User)",
          "type": "reporter"
        }
      ],
      "tags": [
        "x_freeware"
      ]
    }
  }
}