funadmin forget.html getMember information disclosure
Description
A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A publicly accessible information disclosure vulnerability in funadmin's password reset page (forget.html) allows remote attackers to enumerate members.
Vulnerability
Analysis [CVE-2026-2894]
What it is
A vulnerability in funadmin up to version 7.1.0-rc4 has been identified in the getMember function within the file app/frontend/view/login/forget.html. The root cause is that this function, which handles password reset operations, improperly exposes internal member details, leading to an information disclosure weakness [1]. The vendor was contacted but did not respond.
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication, as the affected file is part of the public-facing password reset interface. The exploit does not require any special network position beyond normal internet access, and a working exploit is publicly available, increasing the risk of widespread scanning and abuse [1].
Impact
Successful exploitation allows a remote, unauthenticated attacker to obtain sensitive information about registered members, such as usernames, emails, or other user identifiers. This information can facilitate further targeted attacks, such as phishing, credential stuffing, or social engineering against the FunAdmin user base.
Mitigation
As of the publication date (2026-02-21), the vendor has not released a patch or acknowledged the vulnerability. Operators of FunAdmin installations are advised to monitor the vendor's repository [2] for future updates and to consider implementing web application firewall (WAF) rules or temporarily disabling the password reset functionality if feasible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
funadmin/funadminPackagist | <= 7.1.0-rc4 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/I4m6da/CVE/issues/1mitreexploitissue-tracking
- github.com/advisories/GHSA-8hhx-xq9j-xwfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2894ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- github.com/I4m6da/CVE/issues/1ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.