CVE-2026-2895

Name of the Vulnerable Software and Affected Versions funadmin versions through 7.1.0-rc4

Description A security flaw exists in funadmin that allows for weak password recovery. The issue is located in the repass function within the app/frontend/controller/Member.php file. Manipulation of the forget code/vercode argument can lead to exploitation. Remote exploitation is possible, but is considered difficult. The exploit has been publicly released.

Recommendations Versions prior to 7.1.0-rc4 should be updated. As a temporary workaround, consider restricting access to the repass function within the app/frontend/controller/Member.php file until a patch is available.