20 matches found
EUVD-2026-26913
A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to ...
CVE-2026-2898 funadmin Backend Endpoint AuthCloudService.php getMember deserialization
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...
CVE-2026-2898
A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...
CVE-2026-2895
A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forgetcode/vercode results in weak password recovery. Remote exploitation of the attack is...
CVE-2026-2895 funadmin Member.php repass password recovery
A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forgetcode/vercode results in weak password recovery. Remote exploitation of the attack is...
CVE-2026-2894
FunAdmin up to 7.1.0-rc4 is affected by an access-control error in the forget.html getMember function that enables information disclosure. The issue allows remote exploitation with publicly available exploit code. Multiple sources confirm the vulnerability in the same component and version range....
EUVD-2023-1081
Malicious code in bioql PyPI...
EUVD-2023-33962
Malicious code in bioql PyPI...
CVE-2024-48230
funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php...
CVE-2023-36097
funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install...
CVE-2023-24777
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list...
Cross-Site Scripting (XSS)
funadmin/funadmin is vulnerable to Cross Site Scripting XSS. The vulnerability is due to the lack of input validation and filtering of parameters passed to the param variable in the selectfiles method of \backend\controller\sys\Attachh.php, allowing an attacker to inject malicious scripts into th...
Arbitrary File Deletion
funadmin/funadmin is vulnerable to Arbitrary File Deletion. The vulnerability is due to a lack of proper access control in the /curd/index/delfile endpoint, which allows unauthorized users to delete files...
CVE-2024-48230
funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php...
CVE-2024-48227
Funadmin 5.0.2 has a logical flaw in the Curd one click command deletion function, which can result in a Denial of Service DOS...
CVE-2024-48231
Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \backend\controller\auth\Auth.php...
CVE-2023-36097
funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install...
CVE-2023-36097
funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install...
CVE-2023-24777
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list...
GHSA-7PMH-8QJJ-4Q36 SQL Injection in Funadmin
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/columns...