EUVD-2026-12166CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Unraid Update Request Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within the update.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28951.
Analysis
Critical path traversal vulnerability in Unraid's update.php file that allows authenticated remote attackers to execute arbitrary code as root. The vulnerability affects all versions of Unraid (per CPE data) and was discovered by Zero Day Initiative (ZDI-CAN-28951). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all Unraid instances in your environment and restrict network access to update.php to essential administrators only. Within 7 days: Implement network segmentation to isolate Unraid systems and deploy WAF rules blocking POST requests to update.php from untrusted sources; evaluate whether Unraid is critical to operations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today