CVE-2026-2895
Weak Password Recovery Vulnerability in Funadmin Member Controller
Publication date: 2026-02-21
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| funadmin | funadmin | to 7.1.0 (exc) |
| funadmin | funadmin | 7.1.0 |
| funadmin | funadmin | 7.1.0 |
| funadmin | funadmin | 7.1.0 |
| funadmin | funadmin | 7.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in funadmin up to version 7.1.0-rc4, specifically in the repass function of the file app/frontend/controller/Member.php. It involves manipulation of the arguments forget_code or vercode, which leads to weak password recovery mechanisms. This flaw can be exploited remotely, although the attack complexity is high and exploitation is considered difficult. The exploit has been publicly released.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform weak password recovery remotely by manipulating certain arguments, potentially leading to unauthorized access to user accounts. While the attack is difficult to execute, successful exploitation could compromise account integrity by allowing attackers to reset passwords without proper authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know