CVE-2026-0643 is a vulnerability identified in version 1.0 of the projectworlds House Rental and Property Listing software, specifically in the signup component located at /app/register.php?action=reg. The vulnerability arises from improper handling of the 'image' parameter, which allows an attacker to upload files without restriction. This unrestricted upload flaw means that an attacker can upload malicious files, such as web shells or scripts, that could be executed on the server, leading to full system compromise. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is low to limited but can escalate if the uploaded files are used to execute arbitrary code or pivot within the network. No official patches or updates have been linked yet, and while no active exploitation in the wild is reported, the existence of a public exploit increases the urgency for mitigation. The vulnerability affects only version 1.0 of the product, so upgrading or applying vendor patches when available is critical. The flaw is typical of insufficient input validation and lack of proper file upload controls, a common web application security issue.

For European organizations using projectworlds House Rental and Property Listing 1.0, this vulnerability poses a significant risk of unauthorized access and potential system compromise. Attackers could upload malicious payloads leading to remote code execution, data theft, or service disruption. Real estate and property management companies relying on this software may face operational downtime, reputational damage, and regulatory compliance issues, especially under GDPR if personal data is exposed. The medium severity score indicates a moderate but tangible threat that could escalate if exploited in combination with other vulnerabilities. Since the exploit requires no authentication and no user interaction, the attack surface is broad, increasing the likelihood of automated attacks. Organizations in Europe with critical infrastructure or large property portfolios may be targeted to gain footholds for further attacks. The lack of current known exploitation reduces immediate risk but does not eliminate it, especially given the public exploit availability.

1. Immediately restrict file upload functionality by implementing strict server-side validation to allow only specific, safe file types (e.g., images with verified MIME types and extensions). 2. Employ file content inspection and scanning for malware on all uploads. 3. Configure the web server to prevent execution of uploaded files by placing upload directories outside the web root or disabling script execution in those directories. 4. Use a web application firewall (WAF) with rules to detect and block suspicious upload attempts targeting the vulnerable endpoint. 5. Monitor logs for unusual upload activity or access patterns to /app/register.php?action=reg. 6. Isolate the application environment using containerization or network segmentation to limit potential lateral movement if compromise occurs. 7. Engage with the vendor for patches or updates and plan for an upgrade to a fixed version once available. 8. Conduct regular security assessments and penetration testing focusing on file upload mechanisms. 9. Educate development teams on secure coding practices to prevent similar vulnerabilities in future releases.