CVE-2026-36726NVD

Vulnerability Summary

An arbitrary file deletion vulnerability in the /api/delete-temp-license/{file} endpoint of bookcars v8.3 allows unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences.

Severity Level

MEDIUM(5.3)

Published Date

Jun 9, 2026

Last Modified

Jun 10, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.12%Probability

Root Weakness (CWE)

CWE-22: Path Traversal ↗

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityNone

IntegrityLow

AvailabilityNone

External References

https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-11
https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-11

Critical Alert

CVE Watchtower

CVE-2026-36726NVD

Vulnerability Summary

External References