CVE-2026-2898
MEDIUM
GHSA-gcxp-xg77-798j
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
Funadmin up to version 7.1.0-rc4 contains an unsafe deserialization vulnerability in the AuthCloudService.php getMember function that allows authenticated remote attackers to manipulate the cloud_account parameter and execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running funadmin and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today