{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1445", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-26T14:58:05.933Z", "datePublished": "2026-01-26T22:02:05.762Z", "dateUpdated": "2026-02-23T08:58:47.511Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:58:47.511Z"}, "title": "iJason-Liu Books_Manager upload_bookCover.php unrestricted upload", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "Unrestricted Upload"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}], "affected": [{"vendor": "iJason-Liu", "product": "Books_Manager", "versions": [{"version": "298ba736387ca37810466349af13a0fdf828e99c", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-26T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-28T13:04:29.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "y1fan (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.342874", "name": "VDB-342874 | iJason-Liu Books_Manager upload_bookCover.php unrestricted upload", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.342874", "name": "VDB-342874 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736971", "name": "Submit #736971 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 File Upload", "tags": ["third-party-advisory"]}, {"url": "https://blog.y1fan.work/2026/01/13/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0getshell/", "tags": ["broken-link", "exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:38:27.530308Z", "id": "CVE-2026-1445", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:38:38.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1445", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:38:27.530308Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:38:34.289Z"}}], "cna": {"title": "iJason-Liu Books_Manager upload_bookCover.php unrestricted upload", "credits": [{"lang": "en", "type": "reporter", "value": "y1fan (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "iJason-Liu", "product": "Books_Manager", "versions": [{"status": "affected", "version": "298ba736387ca37810466349af13a0fdf828e99c"}]}], "timeline": [{"lang": "en", "time": "2026-01-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-26T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-28T13:04:29.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.342874", "name": "VDB-342874 | iJason-Liu Books_Manager upload_bookCover.php unrestricted upload", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.342874", "name": "VDB-342874 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736971", "name": "Submit #736971 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 File Upload", "tags": ["third-party-advisory"]}, {"url": "https://blog.y1fan.work/2026/01/13/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0getshell/", "tags": ["broken-link", "exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:58:47.511Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1445", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:58:47.511Z", "dateReserved": "2026-01-26T14:58:05.933Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-26T22:02:05.762Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en iJason-Liu Books_Manager hasta 298ba736387ca37810466349af13a0fdf828e99c. Esta vulnerabilidad afecta c\u00f3digo desconocido del archivo controllers/books_center/upload_bookCover.php. Realizar una manipulaci\u00f3n del argumento book_cover resulta en una carga sin restricciones. El ataque puede ser iniciado de forma remota. El exploit ha sido hecho p\u00fablico y podr\u00eda ser utilizado. Este producto utiliza un modelo de lanzamiento continuo para entregar actualizaciones continuas. Como resultado, la informaci\u00f3n de versi\u00f3n espec\u00edfica para las versiones afectadas o actualizadas no est\u00e1 disponible."}], "id": "CVE-2026-1445", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-26T22:15:54.607", "references": [{"source": "cna@vuldb.com", "url": "https://blog.y1fan.work/2026/01/13/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0getshell/"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.342874"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.342874"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.736971"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:59:43.851408+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch or upgrade iJason-Liu Books_Manager to a version that removes the unrestricted upload capability.", "If an immediate upgrade is impractical, restrict the upload to a whitelist of safe file types, enforce MIME type validation, and limit file size and storage paths for uploaded content.", "Disable or remove the upload_bookCover.php endpoint if it is not essential to business operations.", "Monitor web server logs for unexpected file upload activity and investigate any anomalous files detected in the upload directory."], "summary": {"action": "Patch Now", "impact": "Remote Unrestricted File Upload"}, "threat_synthesis": {"affected_systems": "The vulnerable component is part of iJason-Liu Books_Manager, specifically the upload_bookCover.php controller. No specific fixed versions are listed; the product follows a rolling release model, and the advisory notes that version information for affected or updated releases is not available. Administrators should therefore consider all releases up to the commit 298ba736387ca37810466349af13a0fdf828e99c, and likely newer ones, as potentially vulnerable until a patch is supplied by the vendor.", "description_and_impact": "The vulnerability allows an attacker to manipulate the book_cover input parameter in upload_bookCover.php, leading to unrestricted file upload. This falls under CWE-434 (Unrestricted Upload of File) and potentially indicates a lack of adequate access controls (CWE-284). While the exploit demonstrates that arbitrary files can be uploaded from a remote location, the description does not confirm whether those files are subsequently executed by the application; the ultimate impact depends on how uploaded content is processed.", "risk_and_exploitability": "With a CVSS base score of 5.1, the flaw is considered medium severity. The EPSS score is less than 1%, indicating a very low exploitation probability at the time of analysis. This vulnerability is not listed in the CISA KEV catalog, so there is no public record of active exploitation. The attack may be initiated remotely and is publicly known, suggesting that an attacker could attempt exploitation if the application is exposed to untrusted input."}}}}, "created": "2026-01-27T09:03:05.687255+00:00", "updated": "2026-04-18T15:00:03.455869+00:00", "vendors": ["ijason-liu", "ijason-liu$PRODUCT$books_manager"]}