How is CVE-2026-30761 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP or HTTPS. Authentication (not-required): No credentials or session token are needed; the upload endpoint accepts requests from unauthenticated callers. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social engineering is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

What is the impact of CVE-2026-30761?

Attacker uploads and executes arbitrary server-side code, gaining command execution in the context of the web server process. Attacker reads files accessible to the web server process, including configuration files that may contain database credentials or API keys. Attacker writes or modifies files on the host filesystem within the web server's permission scope, enabling persistent backdoor placement. Attacker can disrupt the availability of the service by overwriting critical application files or consuming disk resources.

Back to search

HIGHCVE-2026-30761Published 2026-05-28Modified 2026-05-29CNA mitre

CVE-2026-30761: An arbitrary file upload vulnerability in the pages/admin

An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows unauthenticated remote attackers to upload crafted files disguised as images. The vulnerability is reachable over the network and requires no authentication or user interaction, based on the CVSS vector (AV:N/PR:N/UI:N). Successful exploitation enables remote code execution on the affected host. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-30761 is available across every HarborGuard environment, with ingestion from upstream advisory feeds occurring within minutes of publication and matching applied against images in customer registries and CI/CD pipelines. Coverage extends to custom-built images that include SourceBans Material Admin v1.1.6.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.3 HIGH (CVSS v3.1) and weighting findings against each environment's compliance policy to determine priority. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP or HTTPS.
AuthenticationNot required
No credentials or session token are needed; the upload endpoint accepts requests from unauthenticated callers.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

Attacker uploads and executes arbitrary server-side code, gaining command execution in the context of the web server process.
Attacker reads files accessible to the web server process, including configuration files that may contain database credentials or API keys.
Attacker writes or modifies files on the host filesystem within the web server's permission scope, enabling persistent backdoor placement.
Attacker can disrupt the availability of the service by overwriting critical application files or consuming disk resources.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-30761 is active across all environments scanning images that include SourceBans Material Admin v1.1.6, with matches surfaced within minutes of advisory ingestion. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. For customers with auto-remediation enabled, that rebuild will be accompanied by a regression test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth considering include network-policy rules that restrict access to the admin upload endpoint to trusted source IPs, egress filtering to limit what a compromised container can reach, and disabling or gating the map-image upload feature via application configuration if it is not actively needed.

See how HarborGuard automates this

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References