← voltar
CVE-2026-41663

Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send

CVSS 3.5 LOWEPSS 0.1%CWE-352
Vexday Risk Score
8Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 3.5EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
Produtos afetados
Admidio · admidio

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/Admidio/admidio/releases/tag/v5.0.9https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j