← Voltar para CVEs
CVE-2026-2895
LOW3.7
Descricao
A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Detalhes CVE
Pontuacao CVSS v3.13.7
SeveridadeLOW
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado2/21/2026
Ultima modificacao2/24/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
funadmin:funadmin
Fraquezas (CWE)
CWE-640
Referencias
https://github.com/I4m6da/CVE/issues/2(cna@vuldb.com)
https://github.com/I4m6da/CVE/issues/2#issue-3884919985(cna@vuldb.com)
https://vuldb.com/?ctiid.347206(cna@vuldb.com)
https://vuldb.com/?id.347206(cna@vuldb.com)
https://vuldb.com/?submit.753971(cna@vuldb.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.