Description
A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.
Published: 2026-05-04
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in funadmin’s Frontend Chunked Upload Endpoint allows an attacker to manipulate the 'File' argument in the chunkUpload function. By supplying a crafted request, the attacker can upload arbitrary files to the server without any restrictions. The vulnerability is classified under CWE-284 and CWE-434, and an attacker could use this to deploy malicious code, leading to potential remote code execution or persistence on the affected system.

Affected Systems

The issue applies to funadmin versions up to 7.1.0-rc6. The affected component is UploadService.php in the Frontend Chunked Upload Endpoint. Administrators deploying any version of funadmin before the patch should be aware that the upload directory is writable by unauthenticated or low‑privilege users.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate to high severity. The exploit is remote, with public proof‑of‑concepts available, but the EPSS score is not provided. The vulnerability is not listed in the CISA KEV catalog. Adversaries can upload arbitrary files or potentially execute code if the uploaded content is later invoked. The attack vector is via the web interface’s upload endpoint, and successful exploitation requires network access to the target.

Generated by OpenCVE AI on May 4, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patch referenced as #59 to restrict file uploads.
  • If the patch cannot be applied immediately, configure the upload directory to deny execution permissions and restrict allowed file types through server‑side validation.
  • Use a web application firewall or file‑type whitelist to reject disallowed extensions such as .php, .exe, or scripts.

Generated by OpenCVE AI on May 4, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.
Title funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload
First Time appeared Funadmin
Funadmin funadmin
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:funadmin:funadmin:*:*:*:*:*:*:*:*
Vendors & Products Funadmin
Funadmin funadmin
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Funadmin Funadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T04:45:24.024Z

Reserved: 2026-05-03T16:10:47.951Z

Link: CVE-2026-7733

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T06:16:02.027

Modified: 2026-05-04T06:16:02.027

Link: CVE-2026-7733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T08:30:40Z

Weaknesses