CVE-2026-36723
Published: 09 June 2026
Summary
CVE-2026-36723 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
An unrestricted file rename vulnerability exists in the /api/create-user component of bookcars version 8.3. The flaw, tracked as CVE-2026-36723 and assigned CWE-22, permits path traversal sequences that allow files to be moved from temporary storage to arbitrary filesystem locations. It carries a CVSS 3.1 base score of 8.8.
Authenticated attackers can exploit the issue over the network without user interaction to access sensitive files, overwrite critical application files, or achieve remote code execution. The EPSS score remains flat at 0.0108 with no observed increase after disclosure.
A single public reference describes the vulnerability but provides no mitigation guidance or patch details. No information on real-world exploitation is available in the supplied data.
OWASP Top 10 for Web (2025)
EU & UK References
No EU or UK CSIRT advisories indexed for this CVE.
Vulnerability details
An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive…
more
files, the overwriting of critical application files, and remote code execution (RCE).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in web API enables exploitation of public-facing app (T1190) and arbitrary file placement for tool/payload transfer (T1105) leading to RCE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the /api/create-user rename operation, blocking directory traversal sequences before files can be moved to arbitrary locations.
Enforces that only explicitly authorized subjects and operations may perform file rename/move actions, preventing the unauthorized relocation of files from temporary storage.
Restricts the ability to change or move files on the server filesystem to only those processes and users that require the capability, limiting the impact of the flawed rename function.