pkg:Packagist/admidio/admidio

All known vulnerabilities

• CRITICAL9.9CVE-2024-37906Admidio has Blind SQL Injection in ecard_send.php
  from 0, < 4.3.9
• CRITICAL9.1CVE-2026-32817Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
  >= 5.0.0, < 5.0.7
• CRITICAL9.0Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment
  from 0, < 4.3.10
• HIGH8.8File Upload(RCE) Vulnerability in admidio
  from 0, < 5.0.7
• HIGH8.2Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest
  from 0, < 5.0.9
• HIGH8.2Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests
  from 0, < 5.0.9
• HIGH8.2Insufficient Session Expiration in Admidio
  from 0, < 4.1.9
• HIGH8.1Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders
  from 0, < 5.0.10
• HIGH8.0Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
  from 0, < 5.0.7
• HIGH7.5Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
  >= 5.0.0, < 5.0.8
• HIGH7.3Admidio Improper Neutralization of Formula Elements in a CSV File vulnerability
  from 0, < 4.2.9
• HIGH7.2Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality
  from 0, < 4.3.17
• HIGH7.1Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP
  from 0, < 5.0.9
• MEDIUM6.8Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
  from 0, < 5.0.9
• MEDIUM6.8Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation
  from 0, < 5.0.9
• MEDIUM6.8Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint
  >= 5.0.0, < 5.0.7
• MEDIUM6.7Admidio vulnerable to Unrestricted Upload of File with Dangerous Type
  from 0, < 4.2.10
• MEDIUM6.5Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024
  from 0, < 5.0.10
• MEDIUM6.5Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders
  from 0, < 5.0.10
• MEDIUM6.5Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`
  from 0, < 5.0.10
• MEDIUM6.5Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
  from 0, < 5.0.10
• MEDIUM6.5Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items
  from 0, < 5.0.9
• MEDIUM6.5Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials
  from 0, < 5.0.9
• MEDIUM6.5Admidio is Missing Authorization on Forum Topic and Post Deletion
  >= 5.0.0, < 5.0.7
• MEDIUM6.5Admidio Insufficient Session Expiration vulnerability
  from 0, < 4.2.11
• MEDIUM6.3Admidio vulnerable to Cross-site Scripting
  from 0, < 4.2.8
• MEDIUM6.1Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion
  from 0, < 5.0.9
• MEDIUM6.1Cross-site Scripting in Admidio
  from 0, < 4.2.13
• MEDIUM5.7Admidio is Missing CSRF Protection on Role Membership Date Changes
  from 0, < 5.0.7
• MEDIUM5.7Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions
  >= 5.0.0, < 5.0.7
• MEDIUM5.4Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation
  from 0, < 5.0.10
• MEDIUM5.4Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
  from 0, < 5.0.7
• MEDIUM5.4Admidio Improper Access Control vulnerability
  from 0, < 4.2.9
• MEDIUM5.4Cross-site Scripting in admidio
  from 0, < 4.1.3
• MEDIUM5.2Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords
  from 0, < 5.0.10
• MEDIUM5.2Admidio Missing Minimum Administrator Check in Role Membership Removal
  from 0, < 5.0.9
• MEDIUM4.9Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php
  from 0, < 5.0.9
• MEDIUM4.6Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php
  >= 5.0.0, < 5.0.8
• MEDIUM4.5Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read
  from 0, < 5.0.9
• MEDIUM4.5Admidio has Missing CSRF Protection on Registration Approval Actions
  from 0, < 5.0.8
• MEDIUM4.5admidio CSRF Vulnerability
  from 0, < 4.1-Beta.1
• MEDIUM4.4Admidio writes session IDs and auto-login cookie values to application logs
  from 0, < 5.0.10
• MEDIUM4.3Admidio PKCS#12 private key export action lacks CSRF protection
  from 0, < 5.0.10
• MEDIUM4.3Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
  from 0, < 5.0.8
• LOW3.5Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send
  from 0, < 5.0.9
• LOW3.5Admidio Vulnerable to HTML Injection In The Messages Section
  from 0, < 4.3.12
• LOW3.5Admidio Improper Access Control vulnerability
  from 0, < 4.2.9
• LOW2.7Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment
  from 0, < 5.0.9
• NONE0.0Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter
  from 0, < 5.0.6