CVE-2026-7733
HIGHfunadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload
Title source: cnaDescription
A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.
References (6)
Core 6
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-360908 | funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload
https://vuldb.com/vuln/360908
Signature, Permissions Required signature
permissions-required
VDB-360908 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/360908/cti
Third Party Advisory third-party-advisory
Submit #807559 | FunAdmin v<=V7.1.0-rc6 Unrestricted Upload
https://vuldb.com/submit/807559
Exploit exploit
issue-tracking
https://gitee.com/funadmin/funadmin/issues/IJ8NXT
Patch patch
https://gitee.com/funadmin/funadmin/pulls/59
Product product
https://gitee.com/funadmin/funadmin/
Scores
CVSS v3
7.3
EPSS
0.0029
EPSS Percentile
20.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-284
CWE-434
Status
published
Products (7)
None/funadmin
7.1.0-rc1
None/funadmin
7.1.0-rc2
None/funadmin
7.1.0-rc3
None/funadmin
7.1.0-rc4
None/funadmin
7.1.0-rc5
None/funadmin
7.1.0-rc6
funadmin/funadmin
0 - 7.1.0-rc6Packagist
Published
May 04, 2026
Tracked Since
May 04, 2026