Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
2.9

FunAdmin Password Recovery Allows Attackers to Guess Passwords

CVE-2026-2895 GHSA-fmr2-m7gc-577w
Summary

A security issue in FunAdmin allows attackers to guess or reset passwords if they know some information about the account. This means that your users' passwords could be compromised if an attacker finds out the necessary information. To protect your users, update to the latest version of FunAdmin.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
funadmin funadmin <= 7.1.0-rc4
funadmin funadmin <= 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
Original title
funadmin has Weak Password Recovery Mechanism for Forgotten Password
Original description
A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0 2.6
nvd CVSS3.1 8.1
nvd CVSS4.0 6.3
Vulnerability type
CWE-640
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026