CVE-2026-2898

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2898
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2898.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2898
Aliases
Published
2026-02-22T01:16:00.350Z
Modified
2026-04-10T05:41:26.763928Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

Git / github.com/funadmin/funadmin

Affected ranges

Type
GIT
Repo
https://github.com/funadmin/funadmin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
64f7db23d3a87986978f0b46d65cb9ab756d33bb
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2f328b603e9d007a10e864d26786bc371613276f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2d81b6fe745b325c582e9a6d3c38dfb72fe5cc4a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4bcda339edc68000f77b42d418a171e90c640949
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.1.0-rc4"
        }
    ]
}

Affected versions

v1.*
v1.02
v1.1
v1.5.0
v2.*
v2.1.0
v2.2
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.6
v2.2.9
v2.3
v2.3.1
v2.3测试版
v2.4.0
v2.4.1
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v3.*
v3.0
v3.0.1
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v5.*
v5.0.0
v5.0.1
v5.0.2
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v7.*
v7.0.0
v7.0.0_rc1
v7.0.0_rc2
v7.0.0_rc3
v7.0.0_rc4
v7.0.0_rc5
v7.0.0_rc6
v7.0.0_rc6.1
v7.0.0_rc6.2
v7.0.0_rc6.3
v7.0.0_rc7
v7.0.0_rc7.1
v7.0.0_rc8.0
v7.0.0_rc8.1
v7.0.0_rc8.1.1
v7.0.1
v7.0.2
v7.1.0-rc1
v7.1.0-rc2
v7.1.0-rc3
v7.1.0-rc4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2898.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "7.1.0"
            }
        ]
    }
]