Login Sign Up

CVE-2026-2894

5.3 MEDIUM

📋 TL;DR

This vulnerability in funadmin allows remote attackers to exploit the getMember function in the forget.html login component to disclose sensitive information. It affects all funadmin installations up to version 7.1.0-rc4. The exploit is publicly available and can be launched without authentication.

💻 Affected Systems

Products:
  • funadmin
Versions: up to 7.1.0-rc4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with the vulnerable component are affected regardless of configuration.

📦 What is this software?

Funadmin by Funadmin

View all CVEs affecting Funadmin →

Funadmin by Funadmin

View all CVEs affecting Funadmin →

Funadmin by Funadmin

View all CVEs affecting Funadmin →

Funadmin by Funadmin

View all CVEs affecting Funadmin →

Funadmin by Funadmin

View all CVEs affecting Funadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive user information, credentials, or system configuration details leading to further compromise.

🟠

Likely Case

Information disclosure of user data or system details that could facilitate additional attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub, remote exploitation without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version beyond 7.1.0-rc4 if available, or implement workarounds.

🔧 Temporary Workarounds

Disable vulnerable component

linux

Remove or restrict access to app/frontend/view/login/forget.html

mv app/frontend/view/login/forget.html app/frontend/view/login/forget.html.disabled

Network access control

all

Restrict network access to funadmin login interfaces

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate funadmin instances
  • Deploy web application firewall rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check funadmin version - if version is 7.1.0-rc4 or earlier, system is vulnerable

Check Version:

Check funadmin configuration files or admin panel for version information

Verify Fix Applied:

Verify forget.html file has been removed or modified, or system upgraded beyond 7.1.0-rc4

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to forget.html
  • Multiple failed or unusual requests to login endpoints

Network Indicators:

  • HTTP requests targeting /app/frontend/view/login/forget.html with suspicious parameters

SIEM Query:

source="web_server" AND (uri="*forget.html*" OR uri="*/login/forget*") AND (status=200 OR status=500)

📊 Metadata

CVE ID: CVE-2026-2894
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
Published: February 21, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2894, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)