PatchSiren cyber security CVE debrief
CVE-2026-36726 bookcars CVE debrief
CVE-2026-36726 is a MEDIUM severity vulnerability in bookcars v8.3. An arbitrary file deletion vulnerability exists in the /api/delete-temp-license/{file} endpoint, allowing unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences. The vulnerability has a CVSS score of 5.3 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-36726).
- Vendor
- bookcars
- Product
- bookcars
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of bookcars v8.3 should apply patches or mitigations to prevent exploitation of this vulnerability.
Technical summary
The vulnerability exists in the /api/delete-temp-license/{file} endpoint of bookcars v8.3. An unauthenticated attacker can delete arbitrary files by supplying directory traversal sequences. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates to bookcars v8.3 to fix the arbitrary file deletion vulnerability.
- Restrict access to the /api/delete-temp-license/{file} endpoint to authenticated users only.
- Monitor for suspicious activity on the /api/delete-temp-license/{file} endpoint.
Evidence notes
The vulnerability was reported via [ref-4](https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-11).
Official resources
-
CVE-2026-36726 CVE record
CVE.org
-
CVE-2026-36726 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-36726 was published on 2026-06-09T19:17:43.093Z and modified on 2026-06-10T18:16:44.273Z.