CVE-2026-2896

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2896
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2896.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2896
Aliases
Published
2026-02-22T00:15:59.450Z
Modified
2026-04-10T05:41:26.477462Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/funadmin/funadmin

Affected ranges

Type
GIT
Repo
https://github.com/funadmin/funadmin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
64f7db23d3a87986978f0b46d65cb9ab756d33bb
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2f328b603e9d007a10e864d26786bc371613276f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2d81b6fe745b325c582e9a6d3c38dfb72fe5cc4a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4bcda339edc68000f77b42d418a171e90c640949
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc4"
        }
    ]
}

Affected versions

v1.*
v1.02
v1.1
v1.5.0
v2.*
v2.1.0
v2.2
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.6
v2.2.9
v2.3
v2.3.1
v2.3测试版
v2.4.0
v2.4.1
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v3.*
v3.0
v3.0.1
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v5.*
v5.0.0
v5.0.1
v5.0.2
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v7.*
v7.0.0
v7.0.0_rc1
v7.0.0_rc2
v7.0.0_rc3
v7.0.0_rc4
v7.0.0_rc5
v7.0.0_rc6
v7.0.0_rc6.1
v7.0.0_rc6.2
v7.0.0_rc6.3
v7.0.0_rc7
v7.0.0_rc7.1
v7.0.0_rc8.0
v7.0.0_rc8.1
v7.0.0_rc8.1.1
v7.0.1
v7.0.2
v7.1.0-rc1
v7.1.0-rc2
v7.1.0-rc3
v7.1.0-rc4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2896.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "7.1.0"
            }
        ]
    }
]