Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-h19b-rapd-zyda
Vulnerability ID VCID-h19b-rapd-zyda
Aliases CVE-2026-2898
GHSA-gcxp-xg77-798j
Summary funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-502 Deserialization of Untrusted Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/funadmin/funadmin
https://github.com/I4m6da/CVE/issues/5
https://github.com/I4m6da/CVE/issues/5#issue-3890444166
https://vuldb.com/?ctiid.347209
https://vuldb.com/?id.347209
https://vuldb.com/?submit.753976
CVE-2026-2898 https://nvd.nist.gov/vuln/detail/CVE-2026-2898
GHSA-gcxp-xg77-798j https://github.com/advisories/GHSA-gcxp-xg77-798j
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:50:19.813340+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/funadmin/funadmin/CVE-2026-2898.yml 38.6.0