PT-2026-21400 · Funadmin · Funadmin

I4M6Da

Published

2026-02-21

Updated

2026-02-27

CVE-2026-2896

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions funadmin versions up to 7.1.0-rc4

Description A weakness exists in funadmin that could lead to improper authorization. This is due to a manipulation possible in the setConfig function within the app/backend/controller/Ajax.php file of the Configuration Handler component. The attack can be executed remotely. The exploit has been made publicly available. The vendor was contacted but did not respond.

Recommendations Update funadmin to a version later than 7.1.0-rc4.

Exploit

Fix

Incorrect Privilege Assignment

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266CWE-285

Related Identifiers

CVE-2026-2896

GHSA-5M2G-4CF6-C3RG

Affected Products

Funadmin

PT-2026-21400 · Funadmin · Funadmin

CVE-2026-2896

Weakness Enumeration

Related Identifiers

Affected Products

References · 15