HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Remote Code Execution (CVE-2026-9772) in Unraid Web Server FileUpload Leads to Arbitrary Code Execution

A command‑injection flaw (CVE‑2026‑9772) in Unraid's web UI allows authenticated users to run arbitrary code as www‑data. The vulnerability scores 8.8 on CVSS and is fixed in version 7.3.0. For SOC 2‑compliant organizations, the incident underscores the importance of rapid patching, control mapping, and audit‑ready evidence of remediation.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 zerodayinitiative.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
zerodayinitiative.com

Critical Remote Code Execution (CVE‑2026‑9772) in Unraid Web Server FileUpload

What It Is — A command‑injection flaw in FileUpload.php of the Unraid web UI allows an authenticated attacker to execute arbitrary commands as the www‑data user. The issue stems from insufficient validation of a user‑supplied filename before it is passed to a system call.

Exploitability — CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Public advisory released 24 Jun 2026; proof‑of‑concept code is available. Exploitation requires a valid Unraid login, but once obtained the attacker gains full code execution.

Affected Products — Unraid OS (all versions prior to 7.3.0 stable).

Why It Matters for Compliance & Audit Readiness

  • SOC 2 requires documented change‑management and vulnerability‑remediation controls (CC6.1, CC7.1); this flaw highlights the need for continuous evidence that patches are applied promptly.
  • Mapping the vulnerability to the relevant security criteria and retaining proof of remediation strengthens the audit trail and demonstrates due‑diligence to customers and regulators.

Recommended Actions

  • Upgrade all Unraid installations to version 7.3.0 or later.
  • Verify the running version via automated inventory tools.
  • Map the fix to SOC 2 controls (e.g., CC6.1 – “Vulnerability Management”) and capture patch‑deployment evidence in your compliance repository.
  • Incorporate file‑upload input validation into your secure‑development lifecycle to prevent similar issues.
  • Update your incident‑response playbook to include detection of anomalous www‑data processes.

Source: Zero Day Initiative advisory

📰 Original Source
http://www.zerodayinitiative.com/advisories/ZDI-26-385/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →