CVE-2026-2898 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-2898

CVE-2026-2898

February 22, 2026

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Related Resources (7)

https://vuldb.com/?ctiid.347209

https://github.com/I4m6da/CVE/issues/5

https://github.com/funadmin/funadmin

https://github.com/I4m6da/CVE/issues/5#issue-3890444166

https://nvd.nist.gov/vuln/detail/CVE-2026-2898

https://vuldb.com/?id.347209

https://vuldb.com/?submit.753976

Do you need more information?

CVSS v4

Base Score:

5.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

Exploit Maturity

POC

CVSS v3

Base Score:

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Exploit Maturity

PROOF-OF-CONCEPT

CVSS v2

Base Score:

6.5

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Exploitability

PROOF OF CONCEPT CODE

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Improper Input Validation

CWE-20

EPSS

Base Score:

0.03

Products

Solutions

Resources

Company

Compare

Developer Tools