CVE-2026-2895HIGH 8.1EPSS p30.9%

CVE-2026-2895CVE-2026-2895

Description

A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.9% · 2026-06-19T12:03:05Z
Published2026-02-21
Last modified2026-04-29

Underlying weaknesses· 1

CWE-640

References

  1. https://github.com/I4m6da/CVE/issues/2
  2. https://github.com/I4m6da/CVE/issues/2#issue-3884919985
  3. https://vuldb.com/?ctiid.347206
  4. https://vuldb.com/?id.347206
  5. https://vuldb.com/?submit.753971

1

TypeTargetConfidenceTier
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2894
CVE
CVE-2026-2161
CVE
CVE-2025-7859
CVE
CVE-2025-48986
CVE
CVE-2025-15398
CVE
CVE-2026-10288
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.