A high-severity remote code execution vulnerability has been disclosed in Unraid, the popular NAS and home server operating system. Tracked as CVE-2026-9772 and assigned a CVSS score of 8.8, the flaw was discovered by researcher Swagat Kumar Mishra and coordinated through the Zero Day Initiative.
Vulnerability Details
The vulnerability resides in FileUpload.php, a component of the Unraid web server interface. The root cause is insufficient validation of user-supplied input before it is passed to a system call, creating a command injection condition. An attacker who has already authenticated to the Unraid web interface can exploit this to execute arbitrary commands in the context of the www-data user.
While the requirement for prior authentication limits opportunistic exploitation, it does not eliminate meaningful risk. Any user account with access to the Unraid web interface, including lower-privileged accounts, could serve as an entry point. In many home and small-business deployments, authentication controls on NAS systems can be relatively permissive.
Scope and Impact
- Attack Vector: Network
- Privileges Required: Low (authenticated)
- User Interaction: None
- Impact: High confidentiality, integrity, and availability
Remediation
Unraid addressed the vulnerability in version 7.3.0 stable. Administrators running affected versions should upgrade promptly. The fix was released on the same day as the coordinated public disclosure, June 24, 2026.
The vulnerability was originally reported to the vendor on April 22, 2026, allowing approximately two months for a patch to be developed before public disclosure. Security teams managing Unraid deployments exposed to internal networks or accessible remotely should treat this update as a priority.
