← volver
CVE-2026-41663

Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send

CVSS 3.5 LOWEPSS 0.1%CWE-352
Vexday Risk Score
8Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 3.5EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 may 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
Productos afectados
Admidio · admidio

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/Admidio/admidio/releases/tag/v5.0.9https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j