Platform
php
Component
vulnerability-practice
Fixed in
1.0.1
CVE-2026-4875 is a denial-of-service vulnerability found in the pocketmine/pocketmine-mp component. An attacker can exploit this by sending excessively large JSON payloads through ModalFormResponsePackets, causing the server to consume excessive memory and CPU resources. This vulnerability affects PocketMine-MP versions up to 5.9.0. A patch has been released in version 5.39.2.
A critical vulnerability has been identified in Free Hotel Reservation System version 1.0 (CVE-2026-4875). This flaw allows for unrestricted file uploads by manipulating the 'image' argument within an unknown function in the file /admin/mod_amenities/index.php?view=add. The CVSS score is 4.7, indicating a moderate risk. The remote nature of the exploitation means an attacker can leverage this vulnerability without local system access. Public disclosure of the exploit significantly increases the risk of active attacks. This vulnerability could allow attackers to upload malicious files, such as web scripts or executables, compromising server security and potentially gaining full system control.
The vulnerability is exploited through manipulation of the 'image' parameter in the URL /admin/mod_amenities/index.php?view=add. An attacker can send an HTTP request with a malicious 'image' parameter containing a non-image file (e.g., a PHP script). Due to inadequate validation, the system allows the upload of this file, which can then be executed on the server. Public disclosure of the exploit facilitates replication and increases the likelihood of automated attacks. The absence of an official fix implies that systems using Free Hotel Reservation System 1.0 are particularly vulnerable.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
Currently, no official fix has been provided by the developers of Free Hotel Reservation System. The most effective immediate mitigation is to temporarily disable the /admin/mod_amenities/index.php?view=add functionality until an update is released. We strongly recommend monitoring the developer's website and security forums for a solution. Additionally, implementing a Web Application Firewall (WAF) can help block exploitation attempts. Regular security audits and keeping server software updated are essential preventative practices to reduce the risk of future vulnerabilities.
Actualizar a una versión parcheada del sistema de reservas de hotel. Si no hay una versión disponible, considerar deshabilitar la funcionalidad de carga de imágenes o implementar validaciones estrictas en el servidor para restringir los tipos de archivos permitidos y evitar la ejecución de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
It's a unique identifier for this specific vulnerability in the Free Hotel Reservation System.
Theoretically, any type of file, including PHP scripts, executables, and other malicious files.
Disabling the /admin/mod_amenities/index.php?view=add functionality is the best temporary option until an update is released.
Search vulnerability databases like the National Vulnerability Database (NVD) or specialized security forums.
A Web Application Firewall (WAF) is a security tool that filters HTTP traffic and can block exploitation attempts.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.