funadmin Configuration Handler Allows Unauthorized Access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.5

funadmin Configuration Handler Allows Unauthorized Access

CVE-2026-2896 GHSA-5m2g-4cf6-c3rg

Summary

A security weakness in funadmin's Configuration Handler allows unauthorized access to certain functions. This could be exploited remotely, potentially leading to security breaches. funadmin users should update to a patched version to prevent potential attacks.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
funadmin	funadmin	<= 7.1.0-rc4	–
funadmin	funadmin	<= 7.1.0	–
funadmin	funadmin	7.1.0	–
funadmin	funadmin	7.1.0	–
funadmin	funadmin	7.1.0	–
funadmin	funadmin	7.1.0	–

Original title

funadmin has Incorrect Privilege Assignment in its Configuration Handler

Original description

A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

nvd CVSS2.0 7.5

nvd CVSS3.1 5.3

nvd CVSS4.0 6.9

Vulnerability type

CWE-266 Incorrect Privilege Assignment

CWE-285 Improper Authorization

https://nvd.nist.gov/vuln/detail/CVE-2026-2896
https://github.com/advisories/GHSA-5m2g-4cf6-c3rg
https://github.com/I4m6da/CVE/issues/3 Exploit Issue Tracking
https://github.com/I4m6da/CVE/issues/3#issue-3884949083 Exploit Issue Tracking
https://vuldb.com/?ctiid.347207 Permissions Required VDB Entry
https://vuldb.com/?id.347207 Third Party Advisory VDB Entry
https://vuldb.com/?submit.753972 Third Party Advisory VDB Entry

Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026