CVE-2026-0643 – This vulnerability allows remote attackers to u... (How to Fix)

Q: What is the severity of CVE-2026-0643?

CVE-2026-0643 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to upload arbitrary files through the signup component in House Rental and Property Listing 1.0. Attackers can exploit this to upload malicious files like web shells, potentially gaining unauthorized access to the system. Any organization using this software version is affected.

📋 TL;DR

This vulnerability allows remote attackers to upload arbitrary files through the signup component in House Rental and Property Listing 1.0. Attackers can exploit this to upload malicious files like web shells, potentially gaining unauthorized access to the system. Any organization using this software version is affected.

💻 Affected Systems

Products:

House Rental and Property Listing

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /app/register.php?action=reg endpoint with image parameter manipulation

📦 What is this software?

House Rental And Property Listing Project by Projectworlds

View all CVEs affecting House Rental And Property Listing Project →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, data theft, and persistent backdoor installation

🟠

Likely Case

Unauthorized file upload leading to web shell deployment and limited system access

🟢

If Mitigated

File upload blocked or properly validated, preventing exploitation

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit published on GitHub, remote exploitation possible without authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider workarounds or alternative software.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement server-side file type validation and restrict uploads to specific extensions

Web Application Firewall Rule

all

Block requests to /app/register.php with image parameter containing suspicious content

🧯 If You Can't Patch

Disable the signup functionality entirely if not needed
Implement network segmentation to isolate the application from critical systems

🔍 How to Verify

Check if Vulnerable:

Attempt to upload a file with malicious extension to /app/register.php?action=reg with image parameter

Check Version:

Check software documentation or configuration files for version information

Verify Fix Applied:

Test that file uploads are properly validated and restricted to allowed types only

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /app/register.php
Files with suspicious extensions in upload directories

Network Indicators:

HTTP POST requests to /app/register.php with file uploads
Subsequent connections to uploaded files

SIEM Query:

source="web_server" AND uri="/app/register.php" AND method="POST" AND (file_upload="true" OR contains(param,"image"))

📊 Metadata

CVE ID: CVE-2026-0643

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.04% exploit probability (13.3th percentile)

Published: January 7, 2026

Last Updated: January 15, 2026

🔗 References

https://github.com/1uzpk/cve/issues/4 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.339686 Permissions Required,VDB Entry
https://vuldb.com/?id.339686 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.732563 Third Party Advisory,VDB Entry
https://github.com/1uzpk/cve/issues/4 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0643, you might also want to check these: