CVE-2026-2897 MEDIUM

CVE-2026-2897: funadmin Backend index.html cross site scripting

Vendor N/A
Product funadmin
Weakness CWE-79 · XSS
Published February 22, 2026
Last update February 23, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

February 22, 2026 CVE published
February 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-52747 WordPress Themebox - Digital Products Ecommerce theme <= 1.4.2 - Cross Site Scripting (XSS) vulnerability CVE-2026-3353 Comment SPAM Wiper <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting CVE-2025-24566 WordPress Intro Tour Tutorial DeepPresentation plugin <= 6.5.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-66119 WordPress Hostel plugin <= 1.1.5.9 - Cross Site Scripting (XSS) vulnerability CVE-2025-26742 WordPress Gallery for Social Photo plugin <= 1.0.0.35 - Cross Site Scripting (XSS) vulnerability