| CVE-2026-41670 |
high |
8.2 |
8.2 |
|
|
|
1mo ago |
Admidio Sends SAML Response to Unvalidated Assertion Consumer Service URL from AuthnRequest |
| CVE-2026-41669 |
high |
8.2 |
8.2 |
|
|
|
1mo ago |
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests |
| CVE-2026-41660 |
high |
7.1 |
7.1 |
|
|
|
1mo ago |
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP |
| CVE-2026-41663 |
low |
3.5 |
3.5 |
|
|
|
1mo ago |
Admidio has CSRF on Admin Preferences that Triggers Unauthorized Backup, .htaccess Write, and Email Send |
| CVE-2026-41659 |
low |
2.7 |
2.7 |
|
|
|
1mo ago |
Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment |
| CVE-2026-47233 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024 |
| CVE-2026-47234 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio writes session IDs and auto-login cookie values to application logs |
| CVE-2026-47232 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio PKCS#12 private key export action lacks CSRF protection |
| CVE-2026-47231 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders |
| CVE-2026-47230 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders |
| CVE-2026-47229 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation |
| CVE-2026-47228 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords |
| CVE-2026-47227 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` |
| CVE-2026-47226 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges |
