Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
Funadmin Backend Endpoint Exposes User Information to Hackers
CVE-2026-2898
GHSA-gcxp-xg77-798j
Summary
A security flaw in funadmin's Backend Endpoint allows hackers to access user information. This issue affects funadmin versions up to 7.1.0-rc4. Update to the latest version to protect your users' data.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| funadmin | funadmin | <= 7.1.0-rc4 | – |
| funadmin | funadmin | <= 7.1.0 | – |
| funadmin | funadmin | 7.1.0 | – |
| funadmin | funadmin | 7.1.0 | – |
| funadmin | funadmin | 7.1.0 | – |
| funadmin | funadmin | 7.1.0 | – |
Original title
funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function
Original description
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.5
nvd CVSS4.0
5.1
Vulnerability type
CWE-20
Improper Input Validation
CWE-502
Deserialization of Untrusted Data
- https://nvd.nist.gov/vuln/detail/CVE-2026-2898
- https://github.com/advisories/GHSA-gcxp-xg77-798j
- https://github.com/I4m6da/CVE/issues/5 Exploit Issue Tracking
- https://github.com/I4m6da/CVE/issues/5#issue-3890444166 Exploit Issue Tracking
- https://vuldb.com/?ctiid.347209 Permissions Required VDB Entry
- https://vuldb.com/?id.347209 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.753976 Third Party Advisory VDB Entry
Published: 22 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026