CVE-2026-0643 is a vulnerability identified in projectworlds House Rental and Property Listing version 1.0, specifically in the Signup component's /app/register.php?action=reg endpoint. The flaw arises from improper validation or restriction of the 'image' argument, which allows an attacker to perform unrestricted file uploads. This means an attacker can remotely upload arbitrary files, including potentially malicious scripts or executables, without needing any authentication or user interaction. The vulnerability can lead to unauthorized code execution, data manipulation, or service disruption depending on the uploaded payload and server configuration. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L/VI:L/VA:L). The vulnerability does not require any special privileges or user interaction, making it accessible to remote attackers. Although no known exploits are currently active in the wild, a proof-of-concept exploit has been published, increasing the risk of exploitation. The lack of available patches or official fixes at the time of publication necessitates immediate mitigation efforts by affected organizations. This vulnerability is particularly critical for websites and services using this software to manage user registrations and image uploads, as it can be leveraged to compromise the underlying server or application environment.

The unrestricted file upload vulnerability can have significant impacts on affected organizations. Attackers can upload malicious files such as web shells, enabling remote code execution and full system compromise. This can lead to data breaches, unauthorized access to sensitive information, defacement of websites, or disruption of services. The integrity of the application and its data can be compromised, and availability may be affected if attackers deploy ransomware or denial-of-service payloads. Since the vulnerability requires no authentication or user interaction, it increases the attack surface and risk of automated exploitation. Organizations relying on projectworlds House Rental and Property Listing 1.0 for their property listing platforms may face reputational damage, regulatory penalties, and operational downtime if exploited. The medium severity rating reflects the balance between ease of exploitation and the partial impact on confidentiality, integrity, and availability, but the actual impact can escalate depending on the attacker's objectives and environment.

To mitigate CVE-2026-0643, organizations should first check for any official patches or updates from projectworlds and apply them immediately once available. In the absence of patches, implement strict server-side validation of uploaded files, including verifying file types, sizes, and content signatures to prevent malicious uploads. Employ allowlists for acceptable file extensions and reject all others. Configure web servers to disallow execution of uploaded files in upload directories by setting appropriate permissions and disabling script execution. Use web application firewalls (WAFs) to detect and block suspicious upload attempts. Monitor logs for unusual upload activity and conduct regular security audits of the application. Consider isolating the upload functionality in a sandboxed environment to limit potential damage. Educate developers and administrators about secure file upload practices and review the application code for similar vulnerabilities. Finally, implement network segmentation and least privilege principles to reduce the impact of a potential compromise.