CVE-2026-2895

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2895
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2895.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2895
Aliases
Published
2026-02-21T23:15:59.990Z
Modified
2026-04-10T05:41:26.503827Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/funadmin/funadmin

Affected ranges

Type
GIT
Repo
https://github.com/funadmin/funadmin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
64f7db23d3a87986978f0b46d65cb9ab756d33bb
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2f328b603e9d007a10e864d26786bc371613276f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2d81b6fe745b325c582e9a6d3c38dfb72fe5cc4a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4bcda339edc68000f77b42d418a171e90c640949
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc4"
        }
    ]
}

Affected versions

v1.*
v1.02
v1.1
v1.5.0
v2.*
v2.1.0
v2.2
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.6
v2.2.9
v2.3
v2.3.1
v2.3测试版
v2.4.0
v2.4.1
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v3.*
v3.0
v3.0.1
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v5.*
v5.0.0
v5.0.1
v5.0.2
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v7.*
v7.0.0
v7.0.0_rc1
v7.0.0_rc2
v7.0.0_rc3
v7.0.0_rc4
v7.0.0_rc5
v7.0.0_rc6
v7.0.0_rc6.1
v7.0.0_rc6.2
v7.0.0_rc6.3
v7.0.0_rc7
v7.0.0_rc7.1
v7.0.0_rc8.0
v7.0.0_rc8.1
v7.0.0_rc8.1.1
v7.0.1
v7.0.2
v7.1.0-rc1
v7.1.0-rc2
v7.1.0-rc3
v7.1.0-rc4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2895.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "7.1.0"
            }
        ]
    }
]