{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/funadmin--7.1.0-rc6/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7733"}],"_cs_exploited":false,"_cs_products":["funadmin \u003c= 7.1.0-rc6"],"_cs_severities":["high"],"_cs_tags":["cve","unrestricted file upload","remote code execution"],"_cs_type":"advisory","_cs_vendors":["funadmin"],"content_html":"\u003cp\u003eFunadmin, a web framework, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-7733) affecting versions up to 7.1.0-rc6. The vulnerability exists within the \u003ccode\u003eUploadService::chunkUpload\u003c/code\u003e function in the \u003ccode\u003eapp/common/service/UploadService.php\u003c/code\u003e file, which handles frontend chunked uploads. An attacker can manipulate the \u003ccode\u003eFile\u003c/code\u003e argument during the upload process to bypass security checks and upload arbitrary files. The vulnerability is remotely exploitable, and an exploit has been published. Patch 59 is available to remediate this vulnerability. This issue enables attackers to upload malicious files, such as web shells or executable code, leading to potential remote code execution on the affected server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Funadmin instance running a vulnerable version (\u0026lt;= 7.1.0-rc6).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003eUploadService::chunkUpload\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003eFile\u003c/code\u003e argument, bypassing file type and size restrictions.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eUploadService::chunkUpload\u003c/code\u003e function processes the malicious file without proper validation.\u003c/li\u003e\n\u003cli\u003eThe malicious file is written to the server\u0026rsquo;s file system in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded file, potentially triggering execution (e.g., accessing a PHP web shell).\u003c/li\u003e\n\u003cli\u003eIf the uploaded file is executable code (webshell), the attacker can execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the web server and potentially pivots to other systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to upload arbitrary files to the Funadmin server. This can lead to several severe consequences, including remote code execution, web server defacement, data exfiltration, and complete system compromise. Given the ease of exploitation (an exploit is publicly available), affected systems are at high risk of being targeted. Organizations using vulnerable versions of Funadmin should apply patch 59 immediately to prevent potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patch 59 to all Funadmin installations running versions up to 7.1.0-rc6 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to file uploads, specifically requests targeting the \u003ccode\u003eUploadService::chunkUpload\u003c/code\u003e endpoint (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to exploit CVE-2026-7733 by monitoring for requests to the vulnerable endpoint with suspicious parameters.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter out requests with malicious payloads targeting the \u003ccode\u003eUploadService::chunkUpload\u003c/code\u003e endpoint (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T06:16:02Z","date_published":"2026-05-04T06:16:02Z","id":"/briefs/2026-05-funadmin-upload/","summary":"Funadmin versions up to 7.1.0-rc6 are vulnerable to unrestricted file uploads due to improper handling of the File argument in the UploadService::chunkUpload function, potentially leading to remote code execution.","title":"Funadmin Unrestricted File Upload Vulnerability (CVE-2026-7733)","url":"https://feed.craftedsignal.io/briefs/2026-05-funadmin-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Funadmin \u003c= 7.1.0-Rc6","version":"https://jsonfeed.org/version/1.1"}