CVE-2026-1445: Unrestricted Upload in iJason-Liu Books_Manager
CVE-2026-1445 is a medium severity vulnerability in the iJason-Liu Books_Manager application allowing unrestricted file upload via manipulation of the book_cover parameter in upload_bookCover. php. The flaw can be exploited remotely without user interaction but requires high privileges. Exploitation could lead to limited confidentiality, integrity, and availability impacts. The product uses a rolling release model, complicating version-specific patching. No known exploits are currently in the wild. European organizations using this software should prioritize mitigation to prevent potential unauthorized file uploads that could lead to further compromise.
AI Analysis
Technical Summary
CVE-2026-1445 identifies an unrestricted file upload vulnerability in the iJason-Liu Books_Manager software, specifically in the upload_bookCover.php controller. The vulnerability arises from insufficient validation or restrictions on the 'book_cover' parameter, allowing an attacker with high privileges to upload arbitrary files remotely. The vulnerability affects the code base up to commit 298ba736387ca37810466349af13a0fdf828e99c. Due to the rolling release model of the product, pinpointing exact affected versions is challenging. The CVSS 4.0 score is 5.1 (medium), reflecting network attack vector, low complexity, no user interaction, but requiring privileges. The impact on confidentiality, integrity, and availability is limited but non-negligible, as unrestricted uploads could enable attackers to place malicious files on the server, potentially leading to code execution or data manipulation if combined with other vulnerabilities. No public exploits are currently known, but the vulnerability has been disclosed, increasing the risk of future exploitation. The lack of patch links suggests that users must monitor vendor updates closely or implement compensating controls.
Potential Impact
For European organizations using iJason-Liu Books_Manager, this vulnerability poses a moderate risk. Unrestricted upload can allow attackers to place malicious files on servers, potentially leading to web shell deployment, data tampering, or service disruption. Although exploitation requires high privileges, insider threats or compromised accounts could leverage this flaw to escalate attacks. The impact on confidentiality includes possible exposure or alteration of sensitive book management data. Integrity could be compromised by unauthorized file modifications, and availability might be affected if malicious uploads disrupt service operations. Organizations in sectors relying on this software for digital content management, such as publishing, education, or libraries, could face operational disruptions and reputational damage. The rolling release model complicates patch management, increasing the window of exposure.
Mitigation Recommendations
European organizations should implement strict access controls to limit who can upload files, ensuring only trusted, authenticated users with necessary privileges can perform uploads. Employing web application firewalls (WAFs) to detect and block suspicious upload attempts can provide an additional layer of defense. Validate and sanitize all uploaded files rigorously, restricting allowed file types, sizes, and content to prevent malicious payloads. Monitor server directories for unexpected or unauthorized files and maintain comprehensive logging to detect anomalous activities. Since no official patches are currently linked, organizations should engage with the vendor for timely updates and consider temporary disabling of the upload feature if feasible. Regularly update and audit user privileges to minimize the risk of privilege abuse. Conduct penetration testing focused on file upload functionalities to identify and remediate weaknesses proactively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2026-1445: Unrestricted Upload in iJason-Liu Books_Manager
Description
CVE-2026-1445 is a medium severity vulnerability in the iJason-Liu Books_Manager application allowing unrestricted file upload via manipulation of the book_cover parameter in upload_bookCover. php. The flaw can be exploited remotely without user interaction but requires high privileges. Exploitation could lead to limited confidentiality, integrity, and availability impacts. The product uses a rolling release model, complicating version-specific patching. No known exploits are currently in the wild. European organizations using this software should prioritize mitigation to prevent potential unauthorized file uploads that could lead to further compromise.
AI-Powered Analysis
Technical Analysis
CVE-2026-1445 identifies an unrestricted file upload vulnerability in the iJason-Liu Books_Manager software, specifically in the upload_bookCover.php controller. The vulnerability arises from insufficient validation or restrictions on the 'book_cover' parameter, allowing an attacker with high privileges to upload arbitrary files remotely. The vulnerability affects the code base up to commit 298ba736387ca37810466349af13a0fdf828e99c. Due to the rolling release model of the product, pinpointing exact affected versions is challenging. The CVSS 4.0 score is 5.1 (medium), reflecting network attack vector, low complexity, no user interaction, but requiring privileges. The impact on confidentiality, integrity, and availability is limited but non-negligible, as unrestricted uploads could enable attackers to place malicious files on the server, potentially leading to code execution or data manipulation if combined with other vulnerabilities. No public exploits are currently known, but the vulnerability has been disclosed, increasing the risk of future exploitation. The lack of patch links suggests that users must monitor vendor updates closely or implement compensating controls.
Potential Impact
For European organizations using iJason-Liu Books_Manager, this vulnerability poses a moderate risk. Unrestricted upload can allow attackers to place malicious files on servers, potentially leading to web shell deployment, data tampering, or service disruption. Although exploitation requires high privileges, insider threats or compromised accounts could leverage this flaw to escalate attacks. The impact on confidentiality includes possible exposure or alteration of sensitive book management data. Integrity could be compromised by unauthorized file modifications, and availability might be affected if malicious uploads disrupt service operations. Organizations in sectors relying on this software for digital content management, such as publishing, education, or libraries, could face operational disruptions and reputational damage. The rolling release model complicates patch management, increasing the window of exposure.
Mitigation Recommendations
European organizations should implement strict access controls to limit who can upload files, ensuring only trusted, authenticated users with necessary privileges can perform uploads. Employing web application firewalls (WAFs) to detect and block suspicious upload attempts can provide an additional layer of defense. Validate and sanitize all uploaded files rigorously, restricting allowed file types, sizes, and content to prevent malicious payloads. Monitor server directories for unexpected or unauthorized files and maintain comprehensive logging to detect anomalous activities. Since no official patches are currently linked, organizations should engage with the vendor for timely updates and consider temporary disabling of the upload feature if feasible. Regularly update and audit user privileges to minimize the risk of privilege abuse. Conduct penetration testing focused on file upload functionalities to identify and remediate weaknesses proactively.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-01-26T14:58:05.933Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6977e8c84623b1157cbefcae
Added to database: 1/26/2026, 10:20:56 PM
Last enriched: 1/26/2026, 10:35:31 PM
Last updated: 1/27/2026, 1:13:56 AM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-24686: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in theupdateframework go-tuf
MediumCVE-2026-24490: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in MobSF Mobile-Security-Framework-MobSF
HighCVE-2026-24489: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in HappyHackingSpace gakido
MediumCVE-2026-24486: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Kludex python-multipart
HighCVE-2026-24479: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in zhblue hustoj
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.