funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.

Basic Information

ID CVE-2026-7733

Source VulDB

Published May 4, 2026 at 04:45

Affected Product

Vendor n/a

Product funadmin

Version 7.1.0-rc1

Affected Versions n/a funadmin 7.1.0-rc1
n/a funadmin 7.1.0-rc2
n/a funadmin 7.1.0-rc3
n/a funadmin 7.1.0-rc4
n/a funadmin 7.1.0-rc5
n/a funadmin 7.1.0-rc6

CWE Classification

CWE-434 CWE-284

References

{
    "lastseen": "",
    "description": "A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.",
    "published": "2026-05-04T04:45:24.024Z",
    "modified": "2026-05-04T04:45:24.024Z",
    "type": "cve",
    "title": "funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/360908\nhttps://vuldb.com/vuln/360908/cti\nhttps://vuldb.com/submit/807559\nhttps://gitee.com/funadmin/funadmin/issues/IJ8NXT\nhttps://gitee.com/funadmin/funadmin/pulls/59\nhttps://gitee.com/funadmin/funadmin/",
    "id": "CVE-2026-7733",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "n/a funadmin 7.1.0-rc1\nn/a funadmin 7.1.0-rc2\nn/a funadmin 7.1.0-rc3\nn/a funadmin 7.1.0-rc4\nn/a funadmin 7.1.0-rc5\nn/a funadmin 7.1.0-rc6",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "funadmin",
    "version": "7.1.0-rc1",
    "vendor": "n/a",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload_CVE-2026-7733