CVE-2026-2897
Remote XSS in Funadmin Backend Interface (app/backend/view
Publication date: 2026-02-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| funadmin | funadmin | to 7.1.0 (exc) |
| funadmin | funadmin | 7.1.0 |
| funadmin | funadmin | 7.1.0 |
| funadmin | funadmin | 7.1.0 |
| funadmin | funadmin | 7.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2897 is a Cross-Site Scripting (XSS) vulnerability found in the funadmin application up to version 7.1.0-rc4. It exists in the backend interface, specifically in the file app/backend/view/index/index.html, where system configuration values are rendered without proper filtering or escaping. This flaw allows an attacker to inject malicious JavaScript code into the backend interface, which can then be executed in the browsers of backend users.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper handling of the argument "Value," enabling attackers to inject scripts remotely. Exploitation requires some level of authentication or, according to some reports, may be possible without authentication due to unauthorized access issues. The attack requires user interaction and can be carried out remotely.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code within the backend interface of the funadmin application. This can lead to several security issues including session hijacking, privilege escalation, and potentially complete compromise of the backend system.
Because the attack can be performed remotely and may not require authentication in some cases, attackers can exploit this vulnerability to gain unauthorized access or control over backend functionality.
The presence of publicly available proof-of-concept exploits increases the risk of exploitation, and no vendor mitigations or patches have been provided yet.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying instances of the vulnerable funadmin backend interface, specifically the file path app/backend/view/index/index.html, which is susceptible to cross-site scripting (XSS) attacks due to improper input handling.
One suggested method to locate potentially vulnerable targets is using Google dorking with queries such as: inurl:app/backend/view/index/index.html
Additionally, network or system administrators can monitor for unusual JavaScript execution or injection attempts in the backend interface logs or use web vulnerability scanners that detect XSS vulnerabilities in web applications.
What immediate steps should I take to mitigate this vulnerability?
Currently, no known countermeasures or mitigations have been provided by the vendor, and the vendor did not respond to early contact attempts.
Immediate mitigation steps include restricting access to the vulnerable backend interface to trusted users only, implementing web application firewalls (WAF) to detect and block XSS attack patterns, and monitoring for suspicious activity.
It is also advisable to avoid using affected versions of funadmin (up to 7.1.0-rc4) and to apply any future patches or updates once they become available.