CVE-2026-30761: SourceBans Material Admin Arbitrary File Upload RCE Vulnerability
SourceBans Material Admin v1.1.6 contains a critical weakness in its image upload functionality that allows unauthenticated attackers to upload malicious files and execute arbitrary code on affected servers. An attacker can craft a specially designed image file that bypasses upload validation, leading to remote code execution without needing valid credentials or user interaction. This is a direct pathway to full system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-30761 is an arbitrary file upload vulnerability (CWE-434) in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6. The vulnerability stems from insufficient validation of uploaded files, permitting attackers to bypass file type checks and upload executable code disguised as or alongside image data. The CVSS 3.1 score of 7.3 (HIGH) reflects network accessibility, low attack complexity, and lack of authentication requirements, combined with impact to confidentiality, integrity, and availability. The attack vector is entirely unauthenticated and requires no user interaction.
Business impact
Successful exploitation grants attackers unauthorized code execution capabilities on game server administration systems. For organizations using SourceBans Material Admin v1.1.6, compromise could result in unauthorized access to player databases, server configuration theft, service disruption, or use of compromised infrastructure for lateral movement into broader network environments. Game communities and hosting providers face reputational damage, data breach notifications, and potential regulatory exposure if player personal information is accessed.
Affected systems
SourceBans Material Admin version 1.1.6 is directly affected. Organizations running this version in production—particularly game hosting providers, esports platforms, and community-managed game servers—should treat this as an immediate inventory priority. Older and newer versions require verification against vendor advisories to confirm scope and applicability.
Exploitability
This vulnerability is highly exploitable. The lack of authentication requirements (PR:N) and low attack complexity (AC:L) mean any unauthenticated attacker on the network can attempt exploitation without special tools or extensive reconnaissance. File upload functionality is typically exposed in web interfaces, making discovery trivial. No user interaction or social engineering is required; exploitation is entirely automated. The accessibility and simplicity create immediate operational risk.
Remediation
Upgrade SourceBans Material Admin to a patched version released after the vulnerability disclosure. Verify the specific patched version number with the vendor's official advisory, as the ground-truth data does not specify a remediation version. If an immediate patch is unavailable, restrict network access to the admin upload component using firewall rules or IP whitelisting, disable the upload functionality if not actively required, and implement file type validation and code execution prevention at the application and system level.
Patch guidance
Contact the SourceBans project maintainers or check official project repositories for a security update addressing CWE-434 file upload validation. Apply the patch to all production and staging instances of Material Admin v1.1.6 without delay. Verify the patch by reviewing release notes confirming the fix scope, then conduct post-patch testing to ensure upload functionality works as intended and rejects malicious payloads.
Detection guidance
Monitor the pages/admin.uploadmapimg.php endpoint for unusual file upload activity, including file types that deviate from expected image formats (e.g., .php, .exe, .sh uploads). Log and alert on POST requests to the upload handler from unexpected IP addresses or with suspicious file extensions or MIME type mismatches. Review uploaded file storage directories for executables or script files. Correlate uploads with subsequent process execution or filesystem modifications on the server. Implement Web Application Firewall (WAF) rules to block executable file uploads and enforce strict Content-Type validation.
Why prioritize this
This vulnerability merits immediate prioritization due to its HIGH CVSS score (7.3), complete lack of authentication barriers, remote exploitability without user interaction, and direct path to arbitrary code execution. Organizations running v1.1.6 face immediate risk and should treat patching as a critical control. Even organizations on other versions should verify their specific version status promptly.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects: Network accessibility (AV:N) allowing remote exploitation; Low attack complexity (AC:L) requiring minimal attacker effort; No authentication prerequisite (PR:N); No user interaction needed (UI:N); and impact across confidentiality (C:L), integrity (I:L), and availability (A:L). While the impact ratings are moderate, the attack ease and lack of barriers drive the HIGH severity classification.
Frequently asked questions
Is my organization affected if we are not running SourceBans Material Admin v1.1.6?
Not directly if you are on a different version. However, verify your exact version against vendor advisories, as other versions may be affected or vulnerable to related issues. If you are on v1.1.6, you are affected and should remediate immediately.
Can this vulnerability be exploited from the internet, or only from internal networks?
The vulnerability is exploitable from the internet. The CVSS vector shows AV:N (Network), meaning an unauthenticated attacker anywhere on the internet can attempt exploitation if the upload endpoint is publicly accessible. Restrict network access to the admin panel to trusted IP ranges immediately as a temporary mitigation.
What should we do if we cannot patch immediately?
Implement network-level access controls to restrict traffic to pages/admin.uploadmapimg.php to authorized administrator IPs only. Disable the upload feature if not actively in use. Deploy a WAF rule to block executable file uploads and enforce strict MIME type validation. Monitor upload logs for suspicious activity. These are temporary controls—plan for patching within 24-48 hours.
How can we determine if our system was already compromised?
Review web server access logs for requests to the uploadmapimg.php endpoint, particularly POST requests. Check uploaded file directories for unexpected executables or scripts. Search process execution logs for suspicious child processes spawned from web server processes. If you identify unauthorized uploads or code execution, assume compromise and initiate incident response procedures immediately.
This analysis is based on the published CVE record and CVSS assessment as of the modification date. Specific patch version numbers and vendor advisories should be verified directly with official SourceBans documentation and security advisories. This vulnerability intelligence is provided for informational purposes to support security decision-making; organizations must validate applicability to their specific environments and conduct independent risk assessments. No exploit code or weaponized proof-of-concept is provided or endorsed. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25409HIGHSIM-PKH 2.4.1 Arbitrary File Upload Leading to Remote Code Execution
- CVE-2026-10072HIGHDreamMaker Arbitrary File Upload RCE Vulnerability
- CVE-2026-39292HIGHPHPPageBuilder Remote Code Execution via Unrestricted File Upload
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler