Vulnerabilities ›

CVE-2026-2895

Low ⚡ Exploit Available

CWE-640 — Weakness Type

                    Published: Feb 21, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

3.7

🔗 NVD Official

📄 Description (English)

A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

🤖 AI Executive Summary

CVE-2026-2895 is a weak password recovery vulnerability in funadmin up to version 7.1.0-rc4 affecting the Member.php repass function. Remote attackers can exploit this by manipulating forget_code/vercode parameters, though exploitation is difficult and requires high complexity.

📄 Description (Arabic)

يؤثر هذا الثغر على وظيفة إعادة تعيين كلمة المرور في تطبيق funadmin حيث يمكن للمهاجمين التلاعب برموز التحقق. يتطلب الاستغلال مستوى تعقيد عالي لكن الثغرة تم الكشف عنها علناً.

🤖 ملخص تنفيذي (AI)

A password recovery weakness exists in funadmin versions up to 7.1.0-rc4 in the Member.php repass function. Attackers can manipulate forget_code/vercode arguments to bypass password recovery security, though the attack is complex and difficult to execute.

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 08:01

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

banking telecom government

🎯 MITRE ATT&CK Techniques

T1110 T1078

⚖️ Saudi Risk Score (AI)

4.0

/ 10.0

🔧 Remediation Steps (English)

Update funadmin to a version newer than 7.1.0-rc4 immediately. Implement strong validation and cryptographic verification for password recovery tokens. Monitor for suspicious password reset attempts and implement rate limiting on password recovery endpoints.

🔧 خطوات المعالجة (العربية)

قم بتحديث funadmin إلى إصدار أحدث من 7.1.0-rc4 فوراً. طبق التحقق القوي والتحقق التشفيري لرموز استرجاع كلمة المرور. راقب محاولات إعادة تعيين كلمة المرور المريبة وطبق تحديد معدل على نقاط نهاية استرجاع كلمة المرور.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2

🔵 SAMA CSF

AC-2 AC-3

🟡 ISO 27001:2022

A.9.2.1 A.9.4.3

🔗 References & Sources 5

🔗

https://github.com/I4m6da/CVE/issues/2

cna@vuldb.com

Exploit Issue Tracking

🔗

https://github.com/I4m6da/CVE/issues/2#issue-3884919985

cna@vuldb.com

Exploit Issue Tracking

🔗

https://vuldb.com/?ctiid.347206

cna@vuldb.com

Permissions Required VDB Entry

🔗

https://vuldb.com/?id.347206

cna@vuldb.com

Third Party Advisory VDB Entry

🔗

https://vuldb.com/?submit.753971

cna@vuldb.com

Third Party Advisory VDB Entry

📦 Affected Products / CPE 5 entries

funadmin:funadmin

funadmin:funadmin:7.1.0

📊 CVSS Score

3.7

/ 10.0 — Low

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Low

CVSS Score3.7

CWECWE-640

EPSS0.08%

Exploit ✓ Yes

Patch ✗ No

Published 2026-02-21

Source Feed nvd

🇸🇦 Saudi Risk Score

4.0

/ 10.0 — Saudi Risk

Priority: LOW

🏷️ Tags

exploit-available CWE-640

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-2895

💬 Comments

Introduce Yourself

Sign In Required