GHSA-qhh7-263p-54r3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qhh7-263p-54r3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qhh7-263p-54r3/GHSA-qhh7-263p-54r3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qhh7-263p-54r3
- Aliases
-
- CVE-2026-7733
- Published
- 2026-05-04T06:32:02Z
- Modified
- 2026-05-08T16:49:38.265391Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Funadmin has an Improper Access Control Issue
- Details
-
A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-05-08T16:38:10Z", "cwe_ids": [ "CWE-284" ], "nvd_published_at": "2026-05-04T06:16:02Z" }- References
Affected packages
Packagist / funadmin/funadmin
Package
- Name
- funadmin/funadmin
- Purl
- pkg:composer/funadmin/funadmin
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected7.1.0-rc6
Affected versions
v1.*
v1.1
v1.02
v1.5.0
v2.*
v2.1.0
v2.2
v2.2.6
v2.2.9
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.3
v2.3.1
v2.4.0
v2.4.1
v2.4.2
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v3.*
v3.0
v3.0.1
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v7.*
v7.0.0_rc1
v7.0.0_rc2
v7.0.0_rc3
v7.0.0_rc4
v7.0.0_rc5
v7.0.0_rc6
v7.0.0_rc6.1
v7.0.0_rc6.2
v7.0.0_rc6.3
v7.0.0_rc7
v7.0.0_rc7.1
v7.0.0_rc8.0
v7.0.0_rc8.1
v7.0.0_rc8.1.1
v7.0.0
v7.0.1
v7.0.2
v7.1.0-rc1
v7.1.0-rc2
v7.1.0-rc3
v7.1.0-rc4
v7.1.0-rc5
v7.1.0-rc6