CVE-2026-2898
EUVD-2026-754322.02.2026, 01:16
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| funadmin | funadmin | 𝑥 < 7.1.0 |
| funadmin | funadmin | 7.1.0:rc1 |
| funadmin | funadmin | 7.1.0:rc2 |
| funadmin | funadmin | 7.1.0:rc3 |
| funadmin | funadmin | 7.1.0:rc4 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-502 - Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.