CVE-2026-2898

MEDIUM

funadmin <7.1.0-rc4 - Deserialization

Title source: llm

Description

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2898

View Code ZIP pw:eip

nomisec WORKING POC

by aykhan32 · poc

https://github.com/aykhan32/CVE-2026-2898-FunAdmin-Deserialization

View Code ZIP pw:eip

References (5)

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.347209

[Permissions Required, VDB Entry] https://vuldb.com/?id.347209

[Permissions Required, VDB Entry] https://vuldb.com/?submit.753976

[Issue Tracking] https://github.com/I4m6da/CVE/issues/5

[Issue Tracking] https://github.com/I4m6da/CVE/issues/5#issue-3890444166

Scores

CVSS v3 5.5

EPSS 0.0003

EPSS Percentile 9.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Details

CWE

CWE-502 CWE-20

Status published

Products (3)

funadmin/funadmin 7.1.0 rc1 (4 CPE variants)

funadmin/funadmin < 7.1.0

funadmin/funadmin 0Packagist

Published Feb 22, 2026

Tracked Since Feb 22, 2026