How serious is CVE-2026-2896?

This vulnerability has a CVSS score of 6.9 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-2896?

Yes, proof-of-concept exploit code for CVE-2026-2896 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-2896?

CVE-2026-2896 affects funadmin funadmin. Check the full CVE details for specific version information.

How do I fix CVE-2026-2896?

To remediate CVE-2026-2896, check for security patches from funadmin. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-2896

Medium

|6.9

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker can remotely manipulate the configuration settings of the funadmin software, potentially allowing them to gain unauthorized access to sensitive features or data. This vulnerability affects versions up to 7.1.0-rc4, and it has been publicly disclosed, meaning that anyone can exploit it if they know how.

Technical Description

A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$1,000($500-$1K)

Vendor Response

Grade APatched in 2 days

Quick Information

Published

Feb 22, 2026

about 1 month ago

Last Modified

Feb 24, 2026

about 1 month ago

Vendor

funadmin

Product

funadmin

Related Vulnerabilities

CVE-2026-2898Medium

An attacker can remotely exploit a vulnerability in funadmin to manipulate user account data, potentially allowing them to execute harmful code on the server. This issue affects versions up to 7.1.0-rc4 and arises from improper handling of input in the authentication service.

CVE-2026-2897Medium

This vulnerability allows an attacker to inject malicious scripts into the backend interface of the funadmin application, potentially compromising user data or session information. It can be exploited remotely without needing special access, making it a significant risk for users running affected versions up to 7.1.0-rc4.

CVE-2026-2895Medium

An attacker can exploit a weakness in the password recovery process of funadmin to potentially reset user passwords and gain unauthorized access to accounts. This requires the attacker to manipulate specific recovery codes, and while the method is complex and difficult, public information about the exploit is now available, increasing the risk of attacks.

CVE-2026-2894Medium

This vulnerability allows an attacker to remotely access sensitive information from the funadmin application, specifically through a function related to password recovery. The issue affects versions up to 7.1.0-rc4, and there is already a publicly available exploit that could be used to take advantage of this flaw.