Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
1.9

funadmin: Hackers can execute malicious code in funadmin

CVE-2026-2897 GHSA-rfh7-7v27-6p9r
Summary

A security weakness in funadmin allows hackers to inject malicious code into the system, potentially allowing them to steal sensitive information or take control of the system. This issue affects funadmin versions up to 7.1.0-rc4. We recommend updating funadmin to a patched version to protect against this risk.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
funadmin funadmin <= 7.1.0-rc4
funadmin funadmin <= 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
funadmin funadmin 7.1.0
Original title
funadmin: XSS through Value argument in Backend Interface component
Original description
A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0 3.3
nvd CVSS3.1 4.8
nvd CVSS4.0 4.8
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
CWE-94 Code Injection
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026