anonhaven
Ad

CVE-2026-34383

MEDIUM CVSS 3.1: 3.5 EPSS 0.03%
Updated Apr 01, 2026
Admidio
Parameter Value
CVSS 3.5 (MEDIUM)
Affected Versions before 5.0.8
Fixed In 5.0.8
Type CWE-20 (Improper Input Validation), CWE-352 (Cross-Site Request Forgery (CSRF))
Vendor Admidio
Public PoC No

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's item_save endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks that the FormPresenter validation normally enforces.

This issue has been patched in version 5.0.8.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-20 Improper Input Validation
CWE-352 Cross-Site Request Forgery (CSRF)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Admidio Admidio
cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*
 5.0.8

References 2

https://github.com/Admidio/admidio/commit/00494b95dfe847af8b938e4397e5d909d8f36…
security-advisories@github.com
https://github.com/Admidio/admidio/security/advisories/GHSA-4rwm-c5mj-wh7x
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32813

Admidio

8.0

CVE-2026-32757

Admidio

5.4