Cyber Resilience

CVE-2026-36723

HighUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0100 58.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-36723 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

An unrestricted file rename vulnerability exists in the /api/create-user component of bookcars version 8.3. The flaw, tracked as CVE-2026-36723 and assigned CWE-22, permits path traversal sequences that allow files to be moved from temporary storage to arbitrary filesystem locations. It carries a CVSS 3.1 base score of 8.8.

Authenticated attackers can exploit the issue over the network without user interaction to access sensitive files, overwrite critical application files, or achieve remote code execution. The EPSS score remains flat at 0.0108 with no observed increase after disclosure.

A single public reference describes the vulnerability but provides no mitigation guidance or patch details. No information on real-world exploitation is available in the supplied data.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive…

more

files, the overwriting of critical application files, and remote code execution (RCE).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Path traversal in web API enables exploitation of public-facing app (T1190) and arbitrary file placement for tool/payload transfer (T1105) leading to RCE.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the /api/create-user rename operation, blocking directory traversal sequences before files can be moved to arbitrary locations.

prevent

Enforces that only explicitly authorized subjects and operations may perform file rename/move actions, preventing the unauthorized relocation of files from temporary storage.

prevent

Restricts the ability to change or move files on the server filesystem to only those processes and users that require the capability, limiting the impact of the flawed rename function.

References