Critical Command Injection Vulnerability Patched in Unraid Web Server (CVE-2026-9772)
A high-severity command injection flaw in Unraid's Web Server FileUpload functionality, tracked as CVE-2026-9772, could let authenticated attackers execute arbitrary code on affected systems.
A critical command injection vulnerability has been disclosed in the Unraid Web Server, tracked as CVE-2026-9772 with a CVSS score of 8.8. The flaw, reported by researcher Swagat Kumar Mishra and published by the Zero Day Initiative as ZDI-26-385, resides in the FileUpload.php component. It stems from improper neutralization of special elements used in a system call when processing file uploads, allowing an authenticated remote attacker to execute arbitrary code in the context of the www-data user.
The vulnerability specifically affects the FileUpload functionality within Unraid's web server. According to the advisory, the issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker who has already gained authenticated access to the Unraid system can exploit this flaw to achieve remote code execution, potentially compromising the entire server.
Unraid is a popular NAS (Network Attached Storage) operating system used by both home users and small businesses for managing storage arrays, running applications, and hosting services. The web server component is a critical interface for administration and file management, making this vulnerability particularly concerning for users who expose the management interface to a network.
The vendor has released a fix in Unraid version 7.3.0 stable. Users are strongly advised to update their installations immediately to mitigate the risk. The disclosure timeline shows that the vulnerability was reported to Unraid on April 22, 2026, and the coordinated public release occurred on June 24, 2026.
At the time of disclosure, no in-the-wild exploitation of CVE-2026-9772 has been reported. However, given the high CVSS score and the nature of the flaw—command injection in a widely used NAS platform—security researchers expect that proof-of-concept exploits may emerge quickly. Unraid users should prioritize patching, especially if their systems are accessible from the internet.
This vulnerability adds to a growing list of command injection flaws discovered in web-based management interfaces of storage and server products. Such bugs are particularly dangerous because they often allow attackers to pivot from a low-privilege web user to full system compromise. The discovery by Mishra highlights the continued importance of input validation in web applications, even in mature products like Unraid.
For users who cannot immediately update, the advisory recommends restricting network access to the Unraid web interface to trusted IP addresses only. Disabling file upload functionality temporarily may also reduce the attack surface. However, the most effective mitigation is to apply the patch provided in version 7.3.0.