Critical Remote Code Execution (CVE‑2026‑9772) in Unraid Web Server FileUpload
What It Is — A command‑injection flaw in FileUpload.php of the Unraid web UI allows an authenticated attacker to execute arbitrary commands as the www‑data user. The issue stems from insufficient validation of a user‑supplied filename before it is passed to a system call.
Exploitability — CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Public advisory released 24 Jun 2026; proof‑of‑concept code is available. Exploitation requires a valid Unraid login, but once obtained the attacker gains full code execution.
Affected Products — Unraid OS (all versions prior to 7.3.0 stable).
Why It Matters for Compliance & Audit Readiness
- SOC 2 requires documented change‑management and vulnerability‑remediation controls (CC6.1, CC7.1); this flaw highlights the need for continuous evidence that patches are applied promptly.
- Mapping the vulnerability to the relevant security criteria and retaining proof of remediation strengthens the audit trail and demonstrates due‑diligence to customers and regulators.
Recommended Actions
- Upgrade all Unraid installations to version 7.3.0 or later.
- Verify the running version via automated inventory tools.
- Map the fix to SOC 2 controls (e.g., CC6.1 – “Vulnerability Management”) and capture patch‑deployment evidence in your compliance repository.
- Incorporate file‑upload input validation into your secure‑development lifecycle to prevent similar issues.
- Update your incident‑response playbook to include detection of anomalous
www‑dataprocesses.
Source: Zero Day Initiative advisory