Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Admidio — Vulnerabilities & Security Advisories 40

Browse all 40 CVE security advisories affecting Admidio. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Admidio is an open-source community management system designed to facilitate the administration of clubs, associations, and organizations by handling member data, event scheduling, and resource allocation. Despite its utility, the software has a significant security history, with twenty-seven Common Vulnerabilities and Exposures (CVEs) documented to date. These flaws predominantly involve SQL injection, cross-site scripting (XSS), and broken access control mechanisms, which frequently allow unauthenticated attackers to execute remote code or escalate privileges. The application’s reliance on older PHP frameworks and inconsistent input validation has historically exposed it to severe exploitation. While recent updates have addressed critical gaps, the cumulative impact of these vulnerabilities suggests a pattern of delayed patching for legacy code paths. Organizations deploying this platform must prioritize strict access controls and regular vulnerability assessments to mitigate the risk of data breaches and unauthorized system modifications inherent in its previous versions.

Top products by Admidio: admidio admidio/admidio
CVE IDTitleCVSSSeverityPublished
CVE-2026-42194 Incomplete fix for CVE-2026-32812: SSRF in admidio — admidioCWE-918 6.8 Medium2026-05-07
CVE-2026-41671 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation — admidioCWE-287 6.8 Medium2026-05-07
CVE-2026-41670 Admidio: SAML Response Sent to Unvalidated Assertion Consumer Service URL from AuthnRequest — admidioCWE-20 8.2 High2026-05-07
CVE-2026-41669 Admidio: SAML Signature Validation Result Ignored — Forged AuthnRequests and LogoutRequests Processed — admidioCWE-347 8.2 High2026-05-07
CVE-2026-41663 Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send — admidioCWE-352 3.5 Low2026-05-07
CVE-2026-41662 Admidio: Missing Minimum Administrator Check in Role Membership Removal — admidioCWE-754 5.2 Medium2026-05-07
CVE-2026-41661 Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion — admidioCWE-79 6.1 Medium2026-05-07
CVE-2026-41660 Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP — admidioCWE-863 7.1 High2026-05-07
CVE-2026-41659 Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment — admidioCWE-200 2.7 Low2026-05-07
CVE-2026-41658 Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items — admidioCWE-862 6.5 Medium2026-05-07
CVE-2026-41657 Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php — admidioCWE-863 4.9 Medium2026-05-07
CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read — admidioCWE-22 4.5 Medium2026-05-07
CVE-2026-41655 Admidio: Path Traversal in ECard Preview Allows Reading Arbitrary Server Files Including Database Credentials — admidioCWE-22 6.5 Medium2026-05-07
CVE-2026-34384 Admidio: Missing CSRF Protection on Registration Approval Actions — admidioCWE-352 4.5 Medium2026-03-31
CVE-2026-34383 Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter — admidioCWE-20 4.3 Medium2026-03-31
CVE-2026-34382 Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php — admidioCWE-352 4.6 Medium2026-03-31
CVE-2026-34381 Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess — admidioCWE-284 7.5 High2026-03-31
CVE-2026-32813 Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter) — admidioCWE-89 8.0 High2026-03-20
CVE-2026-32817 Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion — admidioCWE-862 9.1 Critical2026-03-20
CVE-2026-32812 Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint — admidioCWE-918 6.8 Medium2026-03-20
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection — admidioCWE-79 5.4 Medium2026-03-19
CVE-2026-32756 Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module — admidioCWE-434 8.8 High2026-03-19
CVE-2026-32818 Admidio is Missing Authorization on Forum Topic and Post Deletion — admidioCWE-862 6.5 Medium2026-03-19
CVE-2026-32816 Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions — admidioCWE-352 5.7 Medium2026-03-19
CVE-2026-32755 Admidio is Missing CSRF Protection on Role Membership Date Changes — admidioCWE-352 5.7 Medium2026-03-19
CVE-2026-30927 Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter — admidioCWE-639 5.4AIMediumAI2026-03-09
CVE-2025-62617 Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality — admidioCWE-89 7.2 High2025-10-22
CVE-2024-47836 Admidio vulnerable to HTML Injection In The Messages Section — admidioCWE-502 3.5 Low2024-10-16
CVE-2024-38529 Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment — admidioCWE-434 9.1 Critical2024-07-29
CVE-2024-37906 Admidio has Blind SQL Injection in ecard_send.php — admidioCWE-89 10.0 Critical2024-07-29

This page lists every published CVE security advisory associated with Admidio. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.