CVE-2026-2895: funadmin has Weak Password Recovery Mechanism for Forgotten Password

February 22, 2026 (updated February 26, 2026)

A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack’s complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/I4m6da/CVE/issues/2
github.com/advisories/GHSA-fmr2-m7gc-577w
github.com/funadmin/funadmin
nvd.nist.gov/vuln/detail/CVE-2026-2895
vuldb.com/?ctiid.347206
vuldb.com/?id.347206
vuldb.com/?submit.753971

Code Behaviors & Features

Detect and mitigate CVE-2026-2895 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →