CVE-2026-2894 - Vulnerability Details

- funadmin forget.html getMember information disclosure

Description

A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-21

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an unauthenticated attacker to invoke the getMember function through the funadmin login/forget.html page and retrieve sensitive member information. This represents a direct exposure of data that should be protected, classified under CWE-200 and CWE-284.

Affected Systems

All installations of funadmin up to and including version 7.1.0-rc4 are affected. The impact is limited to the funadmin product; no other vendors or products are listed.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability and the EPSS score of less than 1% suggests a low exploitation probability at the time of analysis. The vulnerability can be triggered remotely, and publicly available exploits exist, but it is not currently recorded in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

funadmin

affected

Version	Status	Constraints
`7.1.0-rc1`	affected	—
`7.1.0-rc2`	affected	—
`7.1.0-rc3`	affected	—
`7.1.0-rc4`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:funadmin:funadmin::::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc1::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc2::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc3::::::
	cpe:2.3:a:funadmin:funadmin:7.1.0:rc4::::::

No data.

Vendor Product Confidence Versions

Funadmin

95%

Version	Status	Scheme	Platform
`7.1.0-rc1`	affected	semver	—
`7.1.0-rc2`	affected	semver	—
`7.1.0-rc3`	affected	semver	—
`7.1.0-rc4`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the latest funadmin release that contains the fix, such as version 7.1.1 or later.
If an immediate upgrade is not possible, restrict network access to the /app/frontend/view/login/forget.html endpoint or enforce authentication before allowing requests to the getMember function.
Monitor authentication and member lookup logs for anomalous activity and investigate any suspicious traffic to the getMember endpoint.

Generated by OpenCVE AI on April 17, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8hhx-xq9j-xwfj	funadmin exposes sensitive information via getMember function

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/I4m6da/CVE/issues/1
https://github.com/I4m6da/CVE/issues/1#issue-3884896592
https://vuldb.com/?ctiid.347205
https://vuldb.com/?id.347205
https://vuldb.com/?submit.753969

History

Tue, 24 Feb 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:funadmin:funadmin:7.1.0:rc1:::::: cpe:2.3:a:funadmin:funadmin:7.1.0:rc2:::::: cpe:2.3:a:funadmin:funadmin:7.1.0:rc3:::::: cpe:2.3:a:funadmin:funadmin:7.1.0:rc4::::::

Mon, 23 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 21 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		funadmin forget.html getMember information disclosure
First Time appeared		Funadmin Funadmin funadmin
Weaknesses		CWE-200 CWE-284
CPEs		cpe:2.3:a:funadmin:funadmin::::::::
Vendors & Products		Funadmin Funadmin funadmin
References		https://github.com/I4m6da/CVE/issues/1 https://github.com/I4m6da/CVE/issues/1#issue-3884896592 https://vuldb.com/?ctiid.347205 https://vuldb.com/?id.347205 https://vuldb.com/?submit.753969
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Funadmin Funadmin

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-21T23:02:09.334Z

Updated: 2026-02-23T19:28:14.585Z

Reserved: 2026-02-20T18:56:39.810Z

Link: CVE-2026-2894

Vulnrichment

Updated: 2026-02-23T19:28:08.071Z

NVD

Status : Analyzed

Published: 2026-02-21T23:15:59.763

Modified: 2026-02-24T16:48:40.657

Link: CVE-2026-2894

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object