CVE-2026-2897

LOW2.4EPSS 0.04%

funadmin: XSS through Value argument in Backend Interface component

Published: 2/22/2026Modified: 2/26/2026

Description

A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected packages (1)

Packagist/funadmin/funadminfrom 0, <= 7.1.0-rc4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	LOW2.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-2897
PATCHhttps://github.com/funadmin/funadmin
WEBhttps://github.com/I4m6da/CVE/issues/4
WEBhttps://github.com/I4m6da/CVE/issues/4#issue-3890421022
WEBhttps://vuldb.com/?ctiid.347208
WEBhttps://vuldb.com/?id.347208
WEBhttps://vuldb.com/?submit.753975