CVE-2026-2896
HIGH
GHSA-5m2g-4cf6-c3rg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Description
A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Funadmin versions up to 7.1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 7.3).
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Funadmin instances running version 7.1.0 or earlier and isolate them from production networks if possible; implement emergency access controls and monitor for suspicious activity. Within 7 days: Evaluate upgrade feasibility to version 7.1.1 or later when available; if upgrade is not immediately possible, deploy network-level compensating controls (WAF rules blocking exploitation patterns, IP whitelisting, VPN-only access). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today