Command Injection Vulnerability Discovered in Unraid Web Server's ToggleState Function (CVE-2026-9773)
A new command injection flaw in Unraid's Web Server, tracked as CVE-2026-9773 with a CVSS score of 8.8, allows authenticated attackers to execute arbitrary code remotely.
Zero Day Initiative (ZDI) disclosed a high-severity command injection vulnerability in the Unraid Web Server's ToggleState functionality on June 24, 2026. The flaw, assigned CVE-2026-9773 and carrying a CVSS score of 8.8, affects the ToggleState.php script where improper validation of user-supplied input before executing a system call enables remote code execution. Authentication is required, but once authenticated, an attacker can leverage this to run arbitrary commands in the context of the www-data user.
The vulnerability stems from the failure to properly sanitize special elements in a command. Specifically, ToggleState.php takes a user-controllable string and passes it directly to a system call without adequate validation. This is a classic command injection pattern that has plagued web applications for years, but in this case, it targets Unraid—a popular NAS (Network Attached Storage) operating system used by home users and small businesses for file storage, media servers, and virtualization.
Unraid users should prioritize applying the patch released in version 7.3.0 stable. The vendor's release notes detail the fix, which addresses the root cause by properly escaping or validating input before execution. Given the CVSS score of 8.8 (High) and the fact that exploitation requires only authentication—not admin privileges—the risk is significant for any exposed instance, especially those accessible over the internet.
The disclosure timeline shows responsible handling: the researcher, Swagat Kumar Mishra, reported the vulnerability on April 22, 2026, and the coordinated public advisory was released on June 24, 2026, alongside a patch. This is the second Unraid command injection disclosure from ZDI lately, following CVE-2026-9772, which targeted the FileUpload functionality and was disclosed earlier. That flaw also carried an 8.8 CVSS rating and required authentication.
While Unraid has not reported active exploitation in the wild, the pattern of consecutive command injection disclosures highlights a concerning trend in the product's security posture. In both cases, the vulnerable code analyzed user-supplied strings without proper sanitization before executing system commands. Such flaws are often abused by attackers to pivot deeper into networks, install backdoors, or encrypt data in ransomware campaigns.
For users, the mitigation is straightforward: update to Unraid 7.3.0 or later immediately. If updating immediately is not possible, restrict access to the web interface to trusted IPs using firewall rules and disable the ToggleState functionality if not needed. Organizations using Unraid in production environments should audit their deployments to ensure no other command injection vectors remain unpatched.
The importance of this disclosure extends beyond Unraid. It serves as a reminder that even widely deployed NAS solutions must prioritize input validation in web interfaces. With the growing threat of ransomware targeting network-attached storage devices, patching such vulnerabilities should be treated as critical, even when no active exploitation is confirmed.