Vulnerabilities ›

CVE-2026-7733

High

CWE-284 — Weakness Type

                    Published: May 4, 2026                      ·  Modified: May 11, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.

🤖 AI Executive Summary

CVE-2026-7733 is a high-severity vulnerability in funadmin up to version 7.1.0-rc6 that allows unrestricted file uploads through the UploadService::chunkUpload function. Remote attackers can exploit this flaw without authentication to upload arbitrary files to affected systems.

📄 Description (Arabic)

يؤثر هذا الثغر على وظيفة UploadService::chunkUpload في ملف app/common/service/UploadService.php ويسمح برفع الملفات دون قيود. يمكن للمهاجمين البعيدين استغلال هذه الثغرة لرفع ملفات ضارة مثل أصداف الويب أو البرامج الضارة.

🤖 ملخص تنفيذي (AI)

A critical file upload vulnerability exists in funadmin versions up to 7.1.0-rc6 affecting the chunked upload endpoint. This allows remote attackers to upload malicious files without proper validation or authentication controls.

🤖 AI Intelligence Analysis Analyzed: May 7, 2026 09:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government healthcare telecom banking

🎯 MITRE ATT&CK Techniques

T1190 T1199 T1566

⚖️ Saudi Risk Score (AI)

8.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade funadmin to version 7.1.0-rc7 or later that includes patch 59. Implement strict file upload validation including file type verification, size limits, and storage restrictions. Apply network-level access controls to the upload endpoint and monitor upload activities for suspicious patterns.

🔧 خطوات المعالجة (العربية)

قم بترقية funadmin فوراً إلى الإصدار 7.1.0-rc7 أو أحدث الذي يتضمن الرقعة 59. طبق التحقق الصارم من الملفات المرفوعة بما في ذلك التحقق من نوع الملف وحدود الحجم والقيود على التخزين. طبق عناصر تحكم الوصول على مستوى الشبكة على نقطة نهاية التحميل ومراقبة أنشطة التحميل للأنماط المريبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.14.2.1 A.14.2.5

🔵 SAMA CSF

CC-6.1 CC-6.2 CC-7.2

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5 A.12.6.1

🔗 References & Sources 6

🔗

https://gitee.com/funadmin/funadmin/

cna@vuldb.com

🔗

https://gitee.com/funadmin/funadmin/issues/IJ8NXT

cna@vuldb.com

🔗

https://gitee.com/funadmin/funadmin/pulls/59

cna@vuldb.com

🔗

https://vuldb.com/submit/807559

cna@vuldb.com

🔗

https://vuldb.com/vuln/360908

cna@vuldb.com

🔗

https://vuldb.com/vuln/360908/cti

cna@vuldb.com

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-284

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-05-04

Source Feed nvd

🇸🇦 Saudi Risk Score

8.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-284

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-7733

💬 Comments

Introduce Yourself

Sign In Required