CVE-2026-30761 SB-MaterialAdmin CVE debrief

Who should care

Organizations running SourceBans Material Admin v1.1.6 for game server ban management; system administrators responsible for Source engine game server infrastructure; security teams monitoring web applications with file upload functionality

Technical summary

The vulnerability resides in pages/admin.uploadmapimg.php of SourceBans Material Admin v1.1.6. Insufficient validation of uploaded image files allows attackers to upload crafted files that may be executed as code on the server. This represents a critical attack vector as the affected component is part of the administrative interface, typically accessible to privileged users. However, if authentication bypasses or session hijacking are possible, the attack surface expands significantly.

Defensive priority

high

Recommended defensive actions

• Upgrade SourceBans Material Admin to a version newer than v1.1.6 when available, or apply vendor-provided patches
• Restrict access to the admin.uploadmapimg.php endpoint to trusted administrative IP addresses only
• Implement strict file type validation on the server side, verifying file contents rather than relying solely on extensions
• Configure web server to prevent execution of uploaded files in the upload directory (e.g., disable PHP execution in upload folders)
• Review and monitor upload directories for unexpected or executable file types
• Consider implementing Web Application Firewall (WAF) rules to detect and block malicious file upload attempts

Evidence notes

CVE description confirms arbitrary file upload leading to code execution in admin.uploadmapimg.php. GitHub issue #374 in the SB-MaterialAdmin/Web repository appears related to this vulnerability. Two gist references from ng-dst suggest proof-of-concept or technical details may be available.

Official resources