CVE-2026-7733
Unrestricted File Upload in FunAdmin up to 7.1.0-rc6
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| funadmin | frontend_chunked_upload_endpoint | to 7.1.0-rc6 (inc) |
| funadmin | funadmin | to 7.1.0-rc6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to upload arbitrary malicious files, including PHP executables, to the server. This can lead to Remote Code Execution (RCE) or web shell access, potentially compromising the confidentiality, integrity, and availability of data stored or processed by the affected system.
Such a security flaw can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require adequate protection of personal and sensitive data against unauthorized access and breaches.
If exploited, this vulnerability could result in unauthorized data access or modification, leading to violations of data protection requirements and potential legal and financial consequences.
Therefore, organizations using the affected FunAdmin versions should promptly apply the recommended patch to mitigate risks and maintain compliance with relevant security standards.
Can you explain this vulnerability to me?
CVE-2026-7733 is a security flaw in the FunAdmin framework's chunked file upload functionality, specifically in the UploadService::chunkUpload() method.
The vulnerability arises because this method does not perform the usual file validation checks, such as verifying file extensions and sizes, which are done in the regular upload process.
As a result, attackers can bypass these checks and upload malicious files, including executable PHP files, to the server remotely.
This flaw allows unrestricted file upload without authentication, making it possible for attackers to execute arbitrary code on the server.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized remote code execution on your server.
Attackers can upload malicious PHP files that can be executed to gain control over the server, potentially leading to data breaches, server compromise, or deployment of web shells.
Since the upload endpoint does not require authentication, anyone can exploit this remotely without needing valid credentials.
This can result in loss of data integrity, confidentiality, and availability of your systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious file uploads to the chunked upload endpoint, specifically targeting the URL path `/frontend/ajax/uploads`.
You can look for HTTP requests that upload files with suspicious extensions like `.php` to the server's public directory, which should not normally accept executable files.
Network or web server logs can be searched for POST requests to `/frontend/ajax/uploads` containing file upload data.
Example commands to detect suspicious uploads might include:
- Using grep on web server logs to find uploads to the vulnerable endpoint: `grep "/frontend/ajax/uploads" /var/log/nginx/access.log`
- Searching for uploaded PHP files in the public directory: `find /path/to/funadmin/public/ -name "*.php" -mtime -7` to find recently uploaded PHP files.
- Using network monitoring tools or IDS to detect HTTP POST requests with file uploads to the chunked upload endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step is to apply the official patch that fixes the vulnerability by adding the missing file validation check in the `chunkUpload()` method.
This patch ensures that the `checkFile()` method is called to validate file extensions and sizes, preventing unauthorized file uploads.
Until the patch is applied, consider restricting access to the chunked upload endpoint `/frontend/ajax/uploads` by implementing authentication or network-level controls such as firewall rules.
Additionally, monitor and remove any suspicious files that may have been uploaded to the public directory.
Regularly review and harden file upload handling and permissions on the server to minimize risk.