Cyber Posture

CVE-2026-2895

LowPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0013 31.7th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack…

more

is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation of the specific flaw in the repass function enabling weak password recovery via forget_code/vercode manipulation.

IA-5 Authenticator Management good match
prevent

Mandates secure management of authenticators, including password recovery codes, to prevent weak mechanisms that allow bypassing robust recovery controls.

SI-10 Information Input Validation good match
prevent

Enforces validation of inputs like forget_code and vercode arguments to block manipulation attempts in the password recovery process.

Security SummaryAI

CVE-2026-2895 is a security vulnerability in funadmin versions up to 7.1.0-rc4, specifically affecting the repass function in the file app/frontend/controller/Member.php. The flaw enables weak password recovery through manipulation of the forget_code or vercode arguments, classified under CWE-640. It carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating low severity with network accessibility but high attack complexity.

Remote attackers require no privileges to attempt exploitation, though the high complexity makes it difficult to execute successfully. Exploitation leads to a low-impact integrity violation, allowing weak password recovery that could compromise user account security by bypassing robust recovery controls.

Advisories note that the vendor was contacted early about the disclosure but provided no response, with no patches or official mitigations available. References include GitHub issues at https://github.com/I4m6da/CVE/issues/2 and related comments, as well as VulDB entries at https://vuldb.com/?ctiid.347206, https://vuldb.com/?id.347206, and https://vuldb.com/?submit.753971, which confirm the issue details.

The exploit has been publicly released and may be used for attacks, though exploitation remains known to be difficult. The vulnerability was published on 2026-02-21.

Details

CWE(s)
CWE-640

Affected Products

funadmin
funadmin
7.1.0 · ≤ 7.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
attack.mitre.org →
Why these techniques?

The vulnerability in the public-facing funadmin web application enables remote exploitation via manipulation of password recovery parameters, directly facilitating T1190 (Exploit Public-Facing Application) as an initial access vector and T1212 (Exploitation for Credential Access) by allowing unauthorized password resets.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References