anonhaven
Ad

CVE-2026-32813

HIGH CVSS 3.1: 8.0 EPSS 0.03%
Updated Mar 23, 2026
Admidio
Parameter Value
CVSS 8.0 (HIGH)
Affected Versions before 5.0.7
Fixed In 5.0.7
Type CWE-89 (SQL Injection)
Vendor Admidio
Public PoC No

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements.

However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-89 SQL Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Admidio Admidio
cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
 5.0.7

References 2

https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f41…
security-advisories@github.com
https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34384

Admidio

7.3

CVE-2026-34383

Admidio

3.5

CVE-2026-34382

Admidio

4.6

CVE-2026-34381

Apache

7.5

CVE-2026-32817

PHP

9.1