Cyber Resilience

CVE-2026-2894

MediumPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2894 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Funadmin Funadmin. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2894 is an information disclosure vulnerability affecting funadmin versions up to 7.1.0-rc4. The flaw is located in the getMember function of the file app/frontend/view/login/forget.html, where improper handling enables unauthorized access to sensitive data.

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation results in limited disclosure of confidential information (C:L), with no impact on integrity or availability, as scored at CVSS 3.1 level 5.3.

Advisories from VulDB and GitHub references indicate that a public exploit is available and the vendor was notified early but provided no response or patches. Affected systems should be reviewed for exposure in the login recovery functionality, with no official mitigations published.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might…

more

be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote information disclosure in a publicly accessible web application (login/forget flow) directly enables exploitation of public-facing apps for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2896Same product: Funadmin Funadmin
CVE-2026-2895Same product: Funadmin Funadmin
CVE-2026-2054Shared CWE-200, CWE-284
CVE-2026-2148Shared CWE-200, CWE-284
CVE-2025-0481Shared CWE-200, CWE-284
CVE-2026-2055Shared CWE-200, CWE-284
CVE-2026-28276Shared CWE-200, CWE-284
CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2026-23659Shared CWE-200

Affected Assets

funadmin
funadmin
7.1.0 · ≤ 7.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on the getMember function so that unauthenticated remote callers cannot retrieve sensitive member data.

prevent

Limits and documents actions permitted without identification or authentication, directly blocking the unauthenticated access path exploited in the forget.html endpoint.

prevent

Ensures the login-recovery function and its data are only reachable by the minimal set of authorized principals, reducing the impact of the missing access check.

References