anonhaven
Ad

CVE-2026-34382

MEDIUM CVSS 3.1: 4.6 EPSS 0.02%
Updated Apr 01, 2026
Admidio
Parameter Value
CVSS 4.6 (MEDIUM)
Affected Versions 5.0.0 — 5.0.8
Fixed In 5.0.8
Type CWE-352 (Cross-Site Request Forgery (CSRF))
Vendor Admidio
Public PoC No

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights.

This issue has been patched in version 5.0.8.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Admidio Admidio
cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
 5.0.0 5.0.8

References 2

https://github.com/Admidio/admidio/commit/317ec91ad3baf19d4179db6c32413812eb36d…
security-advisories@github.com
https://github.com/Admidio/admidio/security/advisories/GHSA-g3mx-8jm6-rc85
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34384

Admidio

7.3

CVE-2026-34383

Admidio

3.5

CVE-2026-34381

Apache

7.5

CVE-2026-32817

PHP

9.1

CVE-2026-32813

Admidio

8.0