{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3838", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-09T16:02:10.333Z", "datePublished": "2026-03-13T20:37:53.130Z", "dateUpdated": "2026-03-16T20:22:01.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:37:53.130Z"}, "title": "Unraid Update Request Path Traversal Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "Unraid Update Request Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the update.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28951."}], "affected": [{"vendor": "Unraid", "product": "Unraid", "versions": [{"version": "7.2.3", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-171/", "name": "ZDI-26-171", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-09T16:02:10.603Z", "datePublic": "2026-03-09T23:14:33.729Z", "source": {"lang": "en", "value": "Nicolas Chatelain (Nicocha30)"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T20:21:50.289303Z", "id": "CVE-2026-3838", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:22:01.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:21:50.289303Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:21:57.535Z"}}], "cna": {"title": "Unraid Update Request Path Traversal Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Nicolas Chatelain (Nicocha30)"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Unraid", "product": "Unraid", "versions": [{"status": "affected", "version": "7.2.3"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-09T23:14:33.729Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-171/", "name": "ZDI-26-171", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-09T16:02:10.603Z", "descriptions": [{"lang": "en", "value": "Unraid Update Request Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the update.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28951."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:37:53.130Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3838", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:22:01.886Z", "dateReserved": "2026-03-09T16:02:10.333Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-03-13T20:37:53.130Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:unraid:unraid:7.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "D95356E9-EA87-443B-938B-89188AAB478B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unraid Update Request Path Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the update.php file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28951."}], "id": "CVE-2026-3838", "lastModified": "2026-03-17T14:18:58.587", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:52.877", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-171/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.2.3"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Unraid", "source": "cna", "vendor": "Unraid"}, "product": "unraid", "vendor": "unraid"}], "analysis": {"en": {"generated_at": "2026-04-28T17:29:11.032818+00:00", "value": {"mitigation_remediation": ["Apply the official patch from Unraid once it becomes available.", "If a patch is not immediately available, disable the update.php endpoint or restrict its access to trusted users only.", "Monitor Unraid logs and network traffic for suspicious activity related to update operations and consider changing default credentials."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected installations belong to the Unraid operating system, specifically version 7.2.3 as identified by the CPE entry. The flaw originates from the update.php file in this release.", "description_and_impact": "Unraid systems are vulnerable to a path traversal flaw in the update.php file that allows attackers to supply a crafted file path and execute arbitrary code as root. The vulnerability is a CWE-22 type (Path Traversal). Because the application does not validate the user\u2011supplied path before performing file operations, a remote authenticated attacker can run any code on the host, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity. EPSS of 3% suggests a relatively low probability of exploitation in the current environment, yet the vulnerability is not listed in CISA\u2019s KEV catalog. The attack requires authentication, implying that an attacker must have valid credentials or an authenticated session on the Unraid web interface. Once authentication is achieved, the exploitation path is straightforward and yields root\u2011level code execution."}}}}, "created": "2026-03-16T09:23:40.215493+00:00", "updated": "2026-04-28T17:30:10.625997+00:00", "vendors": ["unraid", "unraid$PRODUCT$unraid"]}