| CVE-2026-41670 |
high |
8.2 |
8.2 |
|
|
|
1mo ago |
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest |
| CVE-2026-41669 |
high |
8.2 |
8.2 |
|
|
|
1mo ago |
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests |
| CVE-2026-41660 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP |
| CVE-2026-42194 |
medium |
6.8 |
6.8 |
|
|
|
29d ago |
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) |
| CVE-2026-41671 |
medium |
6.8 |
6.8 |
|
|
|
1mo ago |
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation |
| CVE-2026-41658 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
Admidio's Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items |
| CVE-2026-41655 |
medium |
6.5 |
6.5 |
|
|
|
1mo ago |
Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials |
| CVE-2026-41661 |
medium |
6.1 |
6.1 |
|
|
|
1mo ago |
Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion |
| CVE-2017-8382 |
medium |
4.5 |
5.5 |
|
|
|
9y ago |
admidio CSRF Vulnerability |
| CVE-2026-41662 |
medium |
5.2 |
5.2 |
|
|
|
1mo ago |
Admidio Missing Minimum Administrator Check in Role Membership Removal |
| CVE-2026-41657 |
medium |
4.9 |
4.9 |
|
|
|
1mo ago |
Admidio Exposes Cross-Organization Member Data via Permission Check Mismatch in contacts_data.php |
| CVE-2026-41656 |
medium |
4.5 |
4.5 |
|
|
|
1mo ago |
Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read |
| CVE-2026-41663 |
low |
3.5 |
3.5 |
|
|
|
1mo ago |
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send |
| CVE-2026-41659 |
low |
2.7 |
2.7 |
|
|
|
1mo ago |
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment |
| CVE-2026-47233 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024 |
| CVE-2026-47234 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio writes session IDs and auto-login cookie values to application logs |
| CVE-2026-47232 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio PKCS#12 private key export action lacks CSRF protection |
| CVE-2026-47231 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders |
| CVE-2026-47230 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders |
| CVE-2026-47229 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation |
| CVE-2026-47228 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords |
| CVE-2026-47227 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` |
| CVE-2026-47226 |
unknown |
— |
— |
|
|
|
5d ago |
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges |
| CVE-2026-34383 |
unknown |
— |
— |
|
|
|
2mo ago |
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter |
| CVE-2026-34384 |
unknown |
— |
— |
|
|
|
2mo ago |
Admidio has Missing CSRF Protection on Registration Approval Actions |
| CVE-2026-34382 |
unknown |
— |
— |
|
|
|
2mo ago |
Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php |
| CVE-2026-34381 |
unknown |
— |
— |
|
|
|
2mo ago |
Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess |
| CVE-2026-32813 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter) |
| CVE-2026-32818 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio is Missing Authorization on Forum Topic and Post Deletion |
| CVE-2026-32757 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection |
| CVE-2026-32817 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion |
| CVE-2026-32812 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint |
| CVE-2026-32755 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio is Missing CSRF Protection on Role Membership Date Changes |
| CVE-2026-32816 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions |
| CVE-2026-32756 |
unknown |
— |
— |
|
|
|
3mo ago |
File Upload(RCE) Vulnerability in admidio |
| CVE-2026-30927 |
unknown |
— |
— |
|
|
|
3mo ago |
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter |
| CVE-2025-62617 |
unknown |
— |
— |
|
|
|
7mo ago |
Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality |
| CVE-2024-47836 |
unknown |
— |
— |
|
|
|
2y ago |
Admidio Vulnerable to HTML Injection In The Messages Section |
| CVE-2024-38529 |
unknown |
— |
— |
|
|
|
2y ago |
Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment |
| CVE-2024-37906 |
unknown |
— |
— |
|
|
|
2y ago |
Admidio has Blind SQL Injection in ecard_send.php |
| CVE-2023-47380 |
unknown |
— |
— |
|
|
|
3y ago |
Cross-site Scripting in Admidio |
| CVE-2023-4190 |
unknown |
— |
— |
|
|
|
3y ago |
Admidio Insufficient Session Expiration vulnerability |
| CVE-2023-3692 |
unknown |
— |
— |
|
|
|
3y ago |
Admidio vulnerable to Unrestricted Upload of File with Dangerous Type |
| CVE-2023-3304 |
unknown |
— |
— |
|
|
|
3y ago |
Admidio Improper Access Control vulnerability |
| CVE-2023-3303 |
unknown |
— |
— |
|
|
|
3y ago |
Admidio Improper Access Control vulnerability |
| CVE-2023-3302 |
unknown |
— |
— |
|
|
|
3y ago |
Admidio Improper Neutralization of Formula Elements in a CSV File vulnerability |
| CVE-2023-3109 |
unknown |
— |
— |
|
|
|
3y ago |
Admidio vulnerable to Cross-site Scripting |
| CVE-2022-23896 |
unknown |
— |
— |
|
|
|
4y ago |
Cross-site Scripting in admidio |
| CVE-2022-0991 |
unknown |
— |
— |
|
|
|
4y ago |
Insufficient Session Expiration in Admidio |
