CVE-2026-9772 - Vulnerability Details

Description

Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.

The specific flaw exists within FileUpload.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30116.

Published: 2026-06-24

Score: 8.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability allows authenticated remote attackers to execute arbitrary shell commands on affected installations. The flaw lies in FileUpload.php, where an unvalidated user‑supplied string is used in a system call, creating a classic command injection scenario (CWE‑78). By exploiting this, an attacker can run any code in the context of the www‑data user, potentially gaining full control over the host, including data theft, persistence, and propagation to other services.

Affected Systems

Unraid's core package (Unraid:Unraid) is affected. No specific version information was disclosed in the advisory; therefore, all current installations should be considered at risk until an official patch is applied.

Risk and Exploitability

CVSS score of 8.8 indicates high severity. EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication, meaning an attacker must first obtain valid credentials or otherwise access a legitimate user account. Once authenticated, the attacker can perform command injection via the file upload feature, raising the risk of complete system compromise. Given the high CVSS score and the need for authenticated access, the threat is significant but limited to environments where attackers can reach the upload endpoint and possess user credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unraid

unknown

Version	Status	Constraints
`1161ec120`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Unraid patch that addresses the FileUpload.php command injection flaw as soon as it becomes available.
If a patch is not yet released, disable the file upload feature or restrict it to a single, least‑privileged account so that only trusted users can interact with the endpoint.
Enforce strict role‑based access controls on the upload URL, ensuring that only users with the minimum required privileges can initiate uploads.
Implement input validation or sanitization for any custom upload scripts to neutralize dangerous characters before invoking system calls.
Monitor web server logs for unusual upload activity and block IP addresses that attempt to use the upload endpoint without proper authorization.

Generated by OpenCVE AI on June 25, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.zerodayinitiative.com/advisories/ZDI-26-385/

History

Wed, 24 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within FileUpload.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30116.
Title		Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability
Weaknesses		CWE-78
References		https://www.zerodayinitiative.com/advisories/ZDI-26-385/
Metrics		cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2026-06-24T21:35:27.773Z

Updated: 2026-06-24T21:35:27.773Z

Reserved: 2026-05-27T22:10:08.131Z

Link: CVE-2026-9772

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object