CVE-2026-30761
Arbitrary File Upload in SourceBans Material Admin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcebans | material_admin | 1.1.6 |
| sourcebans | material_admin | to 1.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary code on the server, leading to full site compromise, unauthorized database access, and potential lateral movement within the network.
Such unauthorized access and potential data exposure could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against breaches.
However, the provided information does not explicitly mention the impact on compliance with these or other common standards and regulations.
Can you explain this vulnerability to me?
CVE-2026-30761 is a Remote Code Execution (RCE) vulnerability in SourceBans Material Admin version 1.1.6 and earlier. It exists in the file upload functionality of the pages/admin.uploadmapimg.php component. An attacker with the ADMIN_ADD_SERVER privilege can bypass the Content-Type check by spoofing the file type header when uploading files.
This allows the attacker to upload arbitrary files, such as PHP shells or malicious .htaccess files, into the web-accessible images/maps directory without proper validation or sanitization. Because the system only checks the client-supplied Content-Type header and PHP upload error code, which can be manipulated, the attacker can execute arbitrary code on the server.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability enables remote code execution as the web server user, which can lead to full site compromise.
- Loss of site integrity
- Unauthorized access to the database
- Compromise of game servers via RCON (Remote Console)
- Lateral movement within the network using stolen credentials
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious file uploads to the admin.uploadmapimg.php endpoint, especially files with spoofed Content-Type headers or unusual file extensions such as PHP shells or .htaccess files.
Commands to detect exploitation attempts might include searching the web-accessible images/maps directory for recently uploaded files with suspicious extensions or contents.
- Use find command to locate suspicious files: find /path/to/images/maps -type f \( -name '*.php' -o -name '*.htaccess' \) -mtime -7
- Check web server logs for POST requests to admin.uploadmapimg.php: grep 'POST /pages/admin.uploadmapimg.php' /var/log/apache2/access.log
- Inspect uploaded files for embedded PHP code: grep -r '<?php' /path/to/images/maps
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating SourceBans Material Admin to the patched version 1.1.6@fb18342 or later.
If updating is not immediately possible, disable the vulnerable admin.uploadmapimg.php endpoint to prevent file uploads through it.
Additionally, review and restrict ADMIN_ADD_SERVER privileges to trusted users only, and monitor for suspicious activity.