HIGH 7.3

CVE-2026-30760: SourceBans Material Admin XAJAX Arbitrary User Data Manipulation

SourceBans Material Admin, a web-based administration panel, contains a vulnerability that allows unauthenticated attackers to alter user data through a specially crafted XAJAX request. An attacker can send a malicious web request to manipulate account information, permissions, or other critical user attributes without needing valid credentials. This affects versions prior to 1.1.6.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-20
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

An issue in SourceBans Material Admin before v.1.1.6 (3ecd95e) allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-30760 is an improper input validation flaw (CWE-20) in SourceBans Material Admin's XAJAX interface. The vulnerability stems from insufficient validation of user-supplied input in XAJAX calls, enabling attackers to inject or modify arbitrary user data. The attack requires network access but no authentication or user interaction. The CVSS 3.1 score of 7.3 (HIGH) reflects the network-based, authentication-free attack surface combined with confidentiality, integrity, and availability impact.

Business impact

Compromise of user account data and administrative settings creates operational risk and potential compliance violations. Attackers can escalate privileges, modify ban lists or user roles, or manipulate audit trails, undermining the integrity of server administration and player management systems that depend on SourceBans. Data exposure and unauthorized modifications may trigger breach notification obligations and erode trust in infrastructure.

Affected systems

SourceBans Material Admin versions before 1.1.6 (specifically before commit 3ecd95e) are affected. The vulnerability is network-accessible and does not require prior authentication, making any deployed instance on the internet or accessible network potentially at risk.

Exploitability

This vulnerability is readily exploitable. No authentication is required, the attack vector is network-based, and the complexity is low. An attacker need only craft a malicious XAJAX request with manipulated parameters to alter user data. The lack of complexity and absence of user interaction barriers mean exploitation can be automated and scaled.

Remediation

Upgrade SourceBans Material Admin to version 1.1.6 or later. Verify that the installed commit hash matches or exceeds 3ecd95e. Organizations should prioritize patching immediately given the high CVSS score and unauthenticated attack vector. Until patching is complete, implement network segmentation to restrict access to the admin panel to trusted IP ranges.

Patch guidance

Obtain and deploy SourceBans Material Admin v1.1.6 or newer from the official repository. Verify the commit hash to ensure the patch is applied. Test the update in a staging environment to confirm admin functionality and data integrity are preserved. After deployment, validate that XAJAX requests are now properly sanitized by attempting known payload patterns in a controlled test.

Detection guidance

Monitor web server logs for suspicious XAJAX requests, particularly those with unusual parameter values or encoding. Look for POST requests to XAJAX endpoints with payloads attempting to manipulate user fields (roles, permissions, bans). Implement request inspection rules to flag XAJAX calls with SQL injection, script injection, or serialized object manipulation patterns. Check audit logs for unexpected user data modifications, especially changes to administrative accounts or permissions.

Why prioritize this

HIGH priority due to unauthenticated remote code path to data manipulation, broad impact on user and admin data, lack of complexity for exploitation, and absence of CVSS mitigating factors. Organizations running SourceBans Material Admin should treat this as urgent, particularly if the panel is exposed to untrusted networks.

Risk score, explained

The CVSS 3.1 score of 7.3 reflects an unauthenticated network attack vector (AV:N), low attack complexity (AC:L), no privilege or user interaction required (PR:N/UI:N), and moderate impact across confidentiality, integrity, and availability (C:L/I:L/A:L). The absence of scope change (S:U) prevents a higher rating, but the combination of accessibility and data manipulation capability results in a HIGH severity classification.

Frequently asked questions

Who is affected by this vulnerability?

Organizations operating SourceBans Material Admin versions before 1.1.6, particularly those with internet-facing or network-accessible admin panels. Any deployment without access controls is at immediate risk.

Can this vulnerability be exploited without credentials?

Yes. The vulnerability exists in the XAJAX interface validation layer and does not require authentication, making it a network-accessible threat to any exposed instance.

What is the immediate mitigation if patching is delayed?

Restrict network access to the SourceBans Material Admin panel using firewall rules or reverse proxy controls. Limit access to known trusted IP addresses and monitor XAJAX request patterns for anomalies.

How do I verify the patch is applied?

Confirm your deployment is running SourceBans Material Admin v1.1.6 or later and verify the commit hash is 3ecd95e or newer. Check the admin panel version information and confirm XAJAX input handling has been hardened.

This analysis is provided for informational purposes. Organizations should verify compatibility, test patches in non-production environments, and consult official vendor advisories before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence. Consult SourceBans project resources for definitive patching and configuration guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).