High severity7.3NVD Advisory· Published May 4, 2026· Updated May 5, 2026

CVE-2026-7733

Description

A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
funadmin/funadminPackagist	<= 7.1.0-rc6	—

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qhh7-263p-54r3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-7733ghsaADVISORY
gitee.com/funadmin/funadmin/issues/IJ8NXTnvdWEB
vuldb.com/submit/807559nvdWEB
vuldb.com/vuln/360908nvdWEB
vuldb.com/vuln/360908/ctinvdWEB

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.06%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-284
Improper Access Control
CWE-434
Unrestricted Upload of File with Dangerous Type

CVE ID

CVE-2026-7733

Source code

Credits

A(
anch0r (VulDB User)
reporter