CVE-2026-1445 identifies an unrestricted file upload vulnerability in the iJason-Liu Books_Manager application, specifically within the upload_bookCover.php script. The vulnerability arises due to insufficient validation or restriction on the 'book_cover' parameter, allowing an attacker to upload arbitrary files to the server. Because the vulnerability requires high privilege authentication but no user interaction, an authenticated attacker with elevated rights can exploit this remotely to upload malicious files, such as web shells or scripts, potentially leading to server compromise. The vulnerability affects the code base up to commit 298ba736387ca37810466349af13a0fdf828e99c. The product’s rolling release model means that affected versions are continuously updated, making it difficult to pinpoint exact vulnerable releases. The CVSS 4.0 score of 5.1 reflects a medium severity, considering network attack vector, low complexity, no user interaction, but requiring high privileges. Although no known exploits are currently observed in the wild, public disclosure of exploit details increases the risk of exploitation. The vulnerability could be leveraged to escalate attacks within affected environments, impacting confidentiality, integrity, and availability to a limited extent due to the required privilege level and scope of the vulnerability.

The primary impact of this vulnerability is the potential for an authenticated attacker with high privileges to upload arbitrary files, which could lead to unauthorized code execution, data tampering, or denial of service. While the requirement for high privilege limits the attack surface, exploitation could allow attackers to deploy web shells or malware, pivot within the network, or disrupt application functionality. Organizations relying on iJason-Liu Books_Manager may face risks of data breaches, service interruptions, or reputational damage if the vulnerability is exploited. The rolling release nature of the product complicates patch management, potentially delaying remediation. The medium severity rating indicates moderate risk, but the presence of public exploit code increases urgency. The impact is more significant in environments where the application is internet-facing or integrated with sensitive data systems.

To mitigate this vulnerability, organizations should implement strict validation and sanitization of file uploads, ensuring only allowed file types and sizes are accepted. Employ server-side checks to verify file content and use allowlists rather than blocklists. Restrict upload directories to non-executable locations and enforce least privilege on file system permissions. Monitor logs for suspicious upload activity and anomalous file changes. Apply the latest updates from the vendor promptly, even though specific patch versions are not clearly defined due to the rolling release model. If immediate patching is not possible, consider disabling the upload functionality or restricting access to the upload endpoint to trusted administrators only. Conduct regular security assessments and penetration testing focused on file upload mechanisms. Employ web application firewalls (WAFs) with rules targeting file upload abuse to provide an additional layer of defense.