Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability

8.8 / 10

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.

The specific flaw exists within ToggleState.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30134.

AI Analysis

Unraid Web Server is vulnerable to a command injection remote code execution vulnerability due to a lack of proper validation of user-supplied input, allowing attackers to execute arbitrary code.

Basic Information

ID CVE-2026-9773

Source zdi

Published Jun 24, 2026 at 21:35

Affected Product

Vendor Unraid

Product Unraid

Version 1161ec120

Affected Versions Unraid Unraid 1161ec120

CWE Classification

CWE-78

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Unraid

Product Unraid Web Server

Version 1161ec120

References

www.zerodayinitiative.com /advisories/ZDI-26-386/

{
    "lastseen": "",
    "description": "Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within ToggleState.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30134.",
    "published": "2026-06-24T21:35:35.679Z",
    "modified": "2026-06-24T21:35:35.679Z",
    "type": "cve",
    "title": "Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability",
    "source": "zdi",
    "references": "https://www.zerodayinitiative.com/advisories/ZDI-26-386/",
    "id": "CVE-2026-9773",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "Unraid Unraid 1161ec120",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Unraid",
    "version": "1161ec120",
    "vendor": "Unraid",
    "ai_description": "Unraid Web Server is vulnerable to a command injection remote code execution vulnerability due to a lack of proper validation of user-supplied input, allowing attackers to execute arbitrary code.",
    "ai_severity": "High",
    "ai_vendor": "Unraid",
    "ai_product": "Unraid Web Server",
    "ai_version": "1161ec120",
    "ai_score": 8.8
}

Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability_CVE-2026-9773