CVE-2026-30761
Deferred Deferred - Pending Action
Arbitrary File Upload in SourceBans Material Admin

Publication date: 2026-05-28

Last updated on: 2026-05-29

Assigner: MITRE

Description
An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-29
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-30761
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sourcebans material_admin 1.1.6
sourcebans material_admin to 1.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to execute arbitrary code on the server, leading to full site compromise, unauthorized database access, and potential lateral movement within the network.

Such unauthorized access and potential data exposure could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against breaches.

However, the provided information does not explicitly mention the impact on compliance with these or other common standards and regulations.

Executive Summary

CVE-2026-30761 is a Remote Code Execution (RCE) vulnerability in SourceBans Material Admin version 1.1.6 and earlier. It exists in the file upload functionality of the pages/admin.uploadmapimg.php component. An attacker with the ADMIN_ADD_SERVER privilege can bypass the Content-Type check by spoofing the file type header when uploading files.

This allows the attacker to upload arbitrary files, such as PHP shells or malicious .htaccess files, into the web-accessible images/maps directory without proper validation or sanitization. Because the system only checks the client-supplied Content-Type header and PHP upload error code, which can be manipulated, the attacker can execute arbitrary code on the server.

Impact Analysis

Successful exploitation of this vulnerability enables remote code execution as the web server user, which can lead to full site compromise.

  • Loss of site integrity
  • Unauthorized access to the database
  • Compromise of game servers via RCON (Remote Console)
  • Lateral movement within the network using stolen credentials
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious file uploads to the admin.uploadmapimg.php endpoint, especially files with spoofed Content-Type headers or unusual file extensions such as PHP shells or .htaccess files.

Commands to detect exploitation attempts might include searching the web-accessible images/maps directory for recently uploaded files with suspicious extensions or contents.

  • Use find command to locate suspicious files: find /path/to/images/maps -type f \( -name '*.php' -o -name '*.htaccess' \) -mtime -7
  • Check web server logs for POST requests to admin.uploadmapimg.php: grep 'POST /pages/admin.uploadmapimg.php' /var/log/apache2/access.log
  • Inspect uploaded files for embedded PHP code: grep -r '<?php' /path/to/images/maps
Mitigation Strategies

Immediate mitigation steps include updating SourceBans Material Admin to the patched version 1.1.6@fb18342 or later.

If updating is not immediately possible, disable the vulnerable admin.uploadmapimg.php endpoint to prevent file uploads through it.

Additionally, review and restrict ADMIN_ADD_SERVER privileges to trusted users only, and monitor for suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart