PT-2026-36762 · Funadmin · Funadmin

Anch0R

Published

2026-05-04

Updated

2026-05-04

CVE-2026-7733

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions funadmin versions prior to 7.1.0-rc6

Description A flaw in the Frontend Chunked Upload Endpoint allows remote attackers to perform unrestricted file uploads. This issue occurs within the chunkUpload() function of the app/common/service/UploadService.php file due to improper handling of the File argument.

Recommendations Deploy patch 59 to resolve the issue for versions prior to 7.1.0-rc6. As a temporary workaround, restrict access to the chunkUpload() function until the patch is applied.

Exploit

Fix

Unrestricted File Upload

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-284

Related Identifiers

CVE-2026-7733

GHSA-QHH7-263P-54R3

Affected Products

Funadmin

PT-2026-36762 · Funadmin · Funadmin

CVE-2026-7733

Weakness Enumeration

Related Identifiers

Affected Products

References · 10