CVE-2026-9773
HighCVSS 8.8Exploitation Probability (EPSS)
Elevated risk62th percentile — higher than 62% of all known CVEs
Summary
The vulnerability allows remote code execution in Unraid via command injection in ToggleState.php. Authentication is required, and the issue stems from missing validation of user input before using it in a system call.
Risk Assessment
An attacker can take control of the Unraid server as the www-data user, potentially compromising data confidentiality, integrity, and availability.
Recommendation
Apply the update provided by Unraid immediately to fix the vulnerability in ToggleState.php.
Original NVD description (English source)
Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within ToggleState.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30134.

