CVE-2026-34382

MEDIUM

Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php

Title source: cna

Description

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.

References (2)

[X_Refsource_Confirm] https://github.com/Admidio/admidio/security/advisories/GHSA-g3mx-8jm6-rc85

[X_Refsource_Misc] https://github.com/Admidio/admidio/commit/317ec91ad3baf19d4179db6c32413812eb36d7ca

View Writeup ZIP pw:eip

Scores

CVSS v3 4.6

EPSS 0.0002

EPSS Percentile 5.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (3)

admidio/admidio 5.0.0 - 5.0.8Packagist

admidio/admidio 5.0.0 - 5.0.8

Admidio/admidio >= 5.0.0, < 5.0.8

Published Mar 31, 2026

Tracked Since Apr 01, 2026