CVE-2026-7733 PUBLISHED

funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload

Assigner: VulDB
Reserved: 03.05.2026 Published: 04.05.2026 Updated: 04.05.2026

A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 6.9

Product Status

Vendor n/a
Product funadmin
Versions
  • Version 7.1.0-rc1 is affected
  • Version 7.1.0-rc2 is affected
  • Version 7.1.0-rc3 is affected
  • Version 7.1.0-rc4 is affected
  • Version 7.1.0-rc5 is affected
  • Version 7.1.0-rc6 is affected

Credits

  • anch0r (VulDB User) reporter

References

Problem Types

  • Unrestricted Upload CWE
  • Improper Access Controls CWE