CVE-2026-2894

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2894
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2894.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2894
Aliases
Published
2026-02-21T23:15:59.763Z
Modified
2026-04-10T05:41:26.846747Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/funadmin/funadmin

Affected ranges

Type
GIT
Repo
https://github.com/funadmin/funadmin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
64f7db23d3a87986978f0b46d65cb9ab756d33bb
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2f328b603e9d007a10e864d26786bc371613276f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2d81b6fe745b325c582e9a6d3c38dfb72fe5cc4a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4bcda339edc68000f77b42d418a171e90c640949
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc4"
        }
    ]
}

Affected versions

v1.*
v1.02
v1.1
v1.5.0
v2.*
v2.1.0
v2.2
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.6
v2.2.9
v2.3
v2.3.1
v2.3测试版
v2.4.0
v2.4.1
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v3.*
v3.0
v3.0.1
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v5.*
v5.0.0
v5.0.1
v5.0.2
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v7.*
v7.0.0
v7.0.0_rc1
v7.0.0_rc2
v7.0.0_rc3
v7.0.0_rc4
v7.0.0_rc5
v7.0.0_rc6
v7.0.0_rc6.1
v7.0.0_rc6.2
v7.0.0_rc6.3
v7.0.0_rc7
v7.0.0_rc7.1
v7.0.0_rc8.0
v7.0.0_rc8.1
v7.0.0_rc8.1.1
v7.0.1
v7.0.2
v7.1.0-rc1
v7.1.0-rc2
v7.1.0-rc3
v7.1.0-rc4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2894.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "7.1.0"
            }
        ]
    }
]