CVE-2026-9773
Analyzed Analyzed - Analysis Complete

Command Injection in Unraid Web Interface

Vulnerability report for CVE-2026-9773, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: Zero Day Initiative

Description

Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within ToggleState.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30134.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
unraid unraid to 7.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability allows an attacker with valid authentication to execute arbitrary code remotely on the affected Unraid server. This can lead to full compromise of the system, including unauthorized access, data theft, data modification, service disruption, or further attacks within the network.

Detection Guidance

Detection of this vulnerability involves identifying if the affected Unraid system is running a vulnerable version prior to 7.3.0 and if the ToggleState.php endpoint is accessible.

Since the vulnerability requires authentication and involves command injection via ToggleState.php, monitoring web server logs for suspicious requests to ToggleState.php with unusual parameters may help detect exploitation attempts.

No specific detection commands or signatures are provided in the available information.

Mitigation Strategies

The immediate mitigation step is to update Unraid to version 7.3.0 or later, where the vulnerability has been patched.

Additionally, restrict access to the Unraid web server to trusted users only, as authentication is required to exploit this vulnerability.

Monitoring and reviewing authentication logs for suspicious activity related to ToggleState.php can also help mitigate exploitation risks.

Compliance Impact

This vulnerability allows remote attackers to execute arbitrary code on affected Unraid installations, potentially leading to unauthorized access and control over the system.

Such unauthorized access and potential data compromise could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not specify direct effects or compliance implications related to these regulations.

Executive Summary

This vulnerability is a remote code execution flaw in the Unraid Web Server, specifically in the ToggleState.php file. It occurs because the application does not properly validate a user-supplied string before using it to execute a system call. As a result, an authenticated attacker can execute arbitrary code on the affected system with the privileges of the www-data user.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9773. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart