Security: Admidio/admidio
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Admidio writes session IDs and auto-login cookie values to application logsGHSA-mch8-wf3h-6x88 published
May 25, 2026 by FasseModerate -
Admidio PKCS#12 private key export action lacks CSRF protectionGHSA-4rgq-38mh-9xqg published
May 25, 2026 by FasseModerate -
Any logged-in user can delete inventory fields via `modules/inventory.php` `mode=field_delete` — incomplete fix of #2024GHSA-xw54-c3mx-9pm3 published
May 25, 2026 by FasseModerate -
IDOR in `documents-files.php` `mode=file_rename_save` lets any folder-uploader rename or modify the description of files in folders they cannot upload toGHSA-q6w3-hpfv-rg36 published
May 25, 2026 by FasseModerate -
IDOR in `documents-files.php` `mode=move_save` lets any folder-uploader exfiltrate files from private foldersGHSA-x628-457g-2pw9 published
May 25, 2026 by FasseHigh -
CSRF in `modules/sso/clients.php` `enable` mode toggles SAML / OIDC client status without token validationGHSA-xg76-5qj2-2hhv published
May 25, 2026 by FasseModerate -
CSRF in registration `send_login` mode resets arbitrary user passwordsGHSA-mx25-j3rc-6w2w published
May 25, 2026 by FasseModerate -
Module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`GHSA-rwjr-qjj3-mq2f published
May 25, 2026 by FasseModerate -
Authorization Bypass in file_delete Enables Cross-Folder File Deletion by Authenticated MembersGHSA-qc4c-hrmc-4f78 published
May 25, 2026 by FasseModerate -
Incomplete fix for CVE-2026-32812: SSRF in admidioGHSA-hcjj-chvw-fmw9 published
Apr 27, 2026 by FasseModerate