Plataforma
php
Componente
funadmin/funadmin
Corrigido em
7.1.1
7.1.1
7.1.1
7.1.1
7.1.1
CVE-2026-2897 is a cross-site scripting (XSS) vulnerability affecting funadmin versions up to 7.1.0-rc4. This flaw allows attackers to inject malicious scripts into the application via manipulation of the 'Value' argument within the Backend Interface. Successful exploitation could lead to session hijacking or defacement. The vulnerability has been publicly disclosed and may be actively exploited.
The XSS vulnerability in funadmin allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the application's interface. The remote nature of the vulnerability means an attacker does not need to be on the same network as the application to exploit it. Given the public disclosure, the risk of exploitation is elevated, particularly if users are not promptly updated.
This vulnerability was publicly disclosed on 2026-02-22. The vendor was notified but did not respond. The exploit is considered relatively straightforward to execute, increasing the likelihood of exploitation. No KEV listing or active exploitation campaigns have been reported as of this date.
Organizations using funadmin for backend management interfaces are at risk, particularly those running versions prior to the security fix. Shared hosting environments where multiple users share the same funadmin instance are also at increased risk, as an attacker could potentially exploit the vulnerability through another user's account.
• php / server:
grep -r "Value = javascript:" /var/www/funadmin/• generic web:
curl -I http://your-funadmin-site.com/app/backend/view/index/index.html | grep -i content-security-policydisclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-2897 is to upgrade funadmin to a version that includes the security fix. As no fixed version is specified, thoroughly review the vendor's release notes for the latest stable version. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'Value' argument within the Backend Interface to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection.
Actualizar funadmin a una versión posterior a 7.1.0-rc4 que corrija la vulnerabilidad XSS. Si no hay una versión disponible, revisar y sanitizar las entradas del usuario en el archivo app/backend/view/index/index.html para evitar la inyección de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-2897 is a cross-site scripting (XSS) vulnerability in funadmin versions up to 7.1.0-rc4, allowing attackers to inject malicious scripts via the 'Value' argument in the Backend Interface.
You are affected if you are using funadmin versions 7.1.0-rc4 or earlier. Upgrade to a patched version as soon as possible.
Upgrade funadmin to the latest available version. If upgrading is not possible, implement input validation and output encoding on the 'Value' argument.
While no confirmed active exploitation campaigns have been reported, the vulnerability has been publicly disclosed and may be exploited.
Check the funadmin project's official website or GitHub repository for security advisories and release notes.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.