CVE-2026-34382
Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php
CVSS Score
4.6
EPSS Score
0.0%
EPSS Percentile
3th
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations โ including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
| CWE | CWE-352 |
| Vendor | admidio |
| Product | admidio |
| Published | Mar 31, 2026 |
| Last Updated | Apr 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for admidio admidio
Be the first to know when new medium vulnerabilities affecting admidio admidio are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Affected Versions
Admidio / admidio
>= 5.0.0, < 5.0.8