CVE-2026-0643 identifies an unrestricted file upload vulnerability in the House Rental and Property Listing software by projectworlds, specifically in version 1.0. The vulnerability exists in the /app/register.php script when invoked with the action=reg parameter, which handles user signup functionality. The flaw arises from improper validation or sanitization of the 'image' argument, allowing attackers to upload arbitrary files without restrictions. Since the upload mechanism does not enforce file type checks, size limits, or authentication, an attacker can remotely upload malicious files such as web shells or scripts. This can lead to remote code execution, server compromise, data theft, or defacement. The CVSS 4.0 base score of 6.9 reflects a medium severity, considering the network attack vector, no required privileges or user interaction, and limited confidentiality, integrity, and availability impacts. No patches have been linked yet, and while no active exploitation is reported, the availability of exploit code increases the risk of future attacks. The vulnerability affects only version 1.0 of the software, which is commonly used in property listing and rental management platforms, often deployed by small to medium enterprises.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to internal systems, data breaches involving sensitive customer or property information, and disruption of business operations. Real estate platforms and property management services relying on this software may face reputational damage and regulatory penalties under GDPR if personal data is compromised. The ability to upload arbitrary files remotely without authentication increases the risk of server takeover, which could be leveraged to launch further attacks within corporate networks. Additionally, attackers could deface websites or use compromised servers as pivot points for broader cyber espionage or ransomware campaigns. The medium severity rating suggests moderate but tangible risks, particularly for organizations lacking robust perimeter defenses or monitoring.

Organizations should immediately audit their deployments of projectworlds House Rental and Property Listing version 1.0 to identify vulnerable instances. Until an official patch is released, implement strict server-side validation of uploaded files, including enforcing allowed file extensions (e.g., only images such as .jpg, .png), validating MIME types, and scanning uploads with antivirus or malware detection tools. Configure web server permissions to prevent execution of uploaded files in upload directories. Employ web application firewalls (WAFs) to detect and block suspicious upload attempts. Monitor logs for unusual activity related to /app/register.php and the image parameter. Consider isolating the application environment to limit potential damage from exploitation. Engage with the vendor for patch timelines and apply updates promptly once available. Additionally, conduct security awareness training for administrators to recognize signs of compromise.