Scan free
MEDIUMCVE-2026-4875CVSS 4.7

PocketMine-MP JSON Payload Vulnerability (GHSA-788v-5pfp-93ff)

Platform

php

Component

vulnerability-practice

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026
View on NVD
Save

CVE-2026-4875 is a denial-of-service vulnerability found in the pocketmine/pocketmine-mp component. An attacker can exploit this by sending excessively large JSON payloads through ModalFormResponsePackets, causing the server to consume excessive memory and CPU resources. This vulnerability affects PocketMine-MP versions up to 5.9.0. A patch has been released in version 5.39.2.

Impact and Attack Scenarios

A critical vulnerability has been identified in Free Hotel Reservation System version 1.0 (CVE-2026-4875). This flaw allows for unrestricted file uploads by manipulating the 'image' argument within an unknown function in the file /admin/mod_amenities/index.php?view=add. The CVSS score is 4.7, indicating a moderate risk. The remote nature of the exploitation means an attacker can leverage this vulnerability without local system access. Public disclosure of the exploit significantly increases the risk of active attacks. This vulnerability could allow attackers to upload malicious files, such as web scripts or executables, compromising server security and potentially gaining full system control.

Exploitation Context

The vulnerability is exploited through manipulation of the 'image' parameter in the URL /admin/mod_amenities/index.php?view=add. An attacker can send an HTTP request with a malicious 'image' parameter containing a non-image file (e.g., a PHP script). Due to inadequate validation, the system allows the upload of this file, which can then be executed on the server. Public disclosure of the exploit facilitates replication and increases the likelihood of automated attacks. The absence of an official fix implies that systems using Free Hotel Reservation System 1.0 are particularly vulnerable.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.05% (14% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R4.7MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentvulnerability-practice
Vendoritsourcecode
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-434CWE-284

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 59 days since disclosure

Mitigation and Workarounds

Currently, no official fix has been provided by the developers of Free Hotel Reservation System. The most effective immediate mitigation is to temporarily disable the /admin/mod_amenities/index.php?view=add functionality until an update is released. We strongly recommend monitoring the developer's website and security forums for a solution. Additionally, implementing a Web Application Firewall (WAF) can help block exploitation attempts. Regular security audits and keeping server software updated are essential preventative practices to reduce the risk of future vulnerabilities.

How to fix

Actualizar a una versión parcheada del sistema de reservas de hotel. Si no hay una versión disponible, considerar deshabilitar la funcionalidad de carga de imágenes o implementar validaciones estrictas en el servidor para restringir los tipos de archivos permitidos y evitar la ejecución de código malicioso.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4875 in Free Hotel Reservation System?

It's a unique identifier for this specific vulnerability in the Free Hotel Reservation System.

Am I affected by CVE-2026-4875 in Free Hotel Reservation System?

Theoretically, any type of file, including PHP scripts, executables, and other malicious files.

How do I fix CVE-2026-4875 in Free Hotel Reservation System?

Disabling the /admin/mod_amenities/index.php?view=add functionality is the best temporary option until an update is released.

Is CVE-2026-4875 being actively exploited?

Search vulnerability databases like the National Vulnerability Database (NVD) or specialized security forums.

Where can I find the official Free Hotel Reservation System advisory for CVE-2026-4875?

A Web Application Firewall (WAF) is a security tool that filters HTTP traffic and can block exploitation attempts.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs