CVE-2026-37748

Name of the Vulnerable Software and Affected Versions Visitor Management System version 1.0

Description An unrestricted file upload flaw exists in the endpoints 'vms/php/admin user insert.php' and 'vms/php/update 1.php'. The move uploaded file() function is executed without validating the MIME type, extension, or content. This allows an authenticated administrator to upload a PHP webshell, leading to remote code execution on the server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.