CVE-2026-1445 identifies an unrestricted file upload vulnerability in the iJason-Liu Books_Manager application, specifically within the upload_bookCover.php controller script. The vulnerability arises from insufficient validation or restrictions on the 'book_cover' parameter, allowing an attacker to upload arbitrary files to the server. This can be exploited remotely, but requires the attacker to have high privileges (PR:H), indicating that authentication with elevated rights is necessary. The vulnerability does not require user interaction (UI:N), and the attack complexity is low (AC:L), meaning that once high privileges are obtained, exploitation is straightforward. The impact on confidentiality, integrity, and availability is low (VC:L, VI:L, VA:L), suggesting that while the attacker can upload files, the overall damage potential is limited, possibly due to environment constraints or additional security controls. The product uses a rolling release model, which means updates are continuously delivered without fixed version numbers, complicating patch management and vulnerability tracking. No public exploits have been observed in the wild, but the exploit code has been disclosed, increasing the risk of future attacks. The vulnerability's CVSS 4.0 score is 5.1, categorizing it as medium severity. The lack of specific CWE identifiers and patch links indicates that detailed remediation guidance may be limited, requiring organizations to review their upload handling mechanisms carefully.

For European organizations using the Books_Manager application, this vulnerability could allow an attacker with high-level access to upload malicious files, potentially leading to unauthorized code execution, defacement, or data manipulation. Although the impact on confidentiality, integrity, and availability is rated low, the ability to upload arbitrary files can be a stepping stone for further attacks, such as web shell deployment or lateral movement within the network. Organizations in sectors relying heavily on digital content management, such as publishing, education, or libraries, may face operational disruptions or reputational damage if exploited. The rolling release model may delay patch deployment or complicate vulnerability management, increasing exposure time. Given the requirement for high privileges, the threat is mitigated somewhat by existing access controls, but insider threats or compromised privileged accounts remain a concern. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks, especially as exploit code is publicly available.

European organizations should implement the following specific mitigations: 1) Conduct a thorough review and hardening of the file upload functionality in Books_Manager, ensuring strict validation of file types, sizes, and content to prevent arbitrary uploads. 2) Restrict upload permissions to the minimum necessary users and roles, enforcing the principle of least privilege to reduce the risk of exploitation. 3) Monitor and audit file upload directories for unauthorized or suspicious files, employing file integrity monitoring tools. 4) Apply network segmentation to isolate the Books_Manager application server from critical infrastructure, limiting the impact of a potential compromise. 5) Engage with the vendor or community to obtain the latest updates or patches, despite the rolling release model, and implement them promptly. 6) Employ web application firewalls (WAFs) with custom rules to detect and block malicious upload attempts targeting the 'book_cover' parameter. 7) Educate privileged users on secure handling and monitoring of their credentials to prevent account compromise. 8) Consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real-time. These measures go beyond generic advice by focusing on the specific attack vector and operational context of the Books_Manager application.