{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26699", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-04T17:39:35.421Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T15:28:08.964Z"}, "descriptions": [{"lang": "en", "value": "sourcecodester Personnel Property Equipment System v1.0 is vulnerable to arbitrary code execution in ip/ppes/admin/admin_change_picture.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/personel-property-equipment-system/RCE-1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T15:57:56.445405Z", "id": "CVE-2026-26699", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T17:39:35.421Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26699", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T15:57:56.445405Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T15:55:53.044Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/personel-property-equipment-system/RCE-1.md"}], "descriptions": [{"lang": "en", "value": "sourcecodester Personnel Property Equipment System v1.0 is vulnerable to arbitrary code execution in ip/ppes/admin/admin_change_picture.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T15:28:08.964Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26699", "state": "PUBLISHED", "dateUpdated": "2026-03-04T17:39:35.421Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jon-remus-sevellejo:personnel_property_equipment_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A7A99194-81C2-46F1-AE69-BD21CF799749", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sourcecodester Personnel Property Equipment System v1.0 is vulnerable to arbitrary code execution in ip/ppes/admin/admin_change_picture.php."}], "id": "CVE-2026-26699", "lastModified": "2026-03-04T18:16:28.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T16:16:25.250", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/personel-property-equipment-system/RCE-1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "personnel_property_equipment_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-16T14:53:07.930444+00:00", "value": {"mitigation_remediation": ["Apply the official patch or upgrade to the latest released version that addresses the image upload flaw", "If a patch or newer version is unavailable, restrict access to admin_change_picture.php to authorized administrators or disable the endpoint entirely", "Configure robust input validation on file uploads and reject any files that contain executable code or unexpected content, and consider deploying a web application firewall rule to block injection attempts"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Personnel Property Equipment System version 1.0, released by the vendor identified in the CPE as jon-remus-sevellejo. No other versions or products are listed as affected.", "description_and_impact": "The Vulnerability allows an attacker to supply crafted input to the PHP script that handles image uploads in the admin change picture page, leading to arbitrary code execution on the server. The flaw is a classic code injection issue (CWE-94). An attacker who can trigger the upload function could run commands with the privileges of the web application process, compromising confidentiality, integrity, and availability of the entire system.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity; however, the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. Externally accessible, the impacted endpoint accepts HTTP requests, so a remote attacker reasonably could exploit the flaw by sending a specially crafted file upload to the admin_change_picture.php endpoint, provided the attacker has network access to the application."}}}}, "created": "2026-03-03T08:46:55.993720+00:00", "title": "Arbitrary Code Execution via Admin Photo Upload in Personnel Property Equipment System", "updated": "2026-04-16T15:00:14.323441+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$personnel_property_equipment_system"]}