Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Admidio — Vulnerabilities & Security Advisories 34

All 34 CVE vulnerabilities found in Admidio, with AI-generated Chinese analysis, references, and POCs.

This page catalogs security weaknesses and vulnerabilities associated with Admidio, a widely used open-source personnel management and community website application. It aggregates reported issues that stem from various common weakness classes, including injection flaws, cross-site scripting, and improper access controls, which may impact the confidentiality, integrity, or availability of data managed by the software. The content covers vulnerability reports and advisories from the early days of the software’s release up to recent updates, providing a historical perspective on its security posture over time. Visitors can use this resource to track a vendor’s or project’s advisory history, gaining insight into how quickly and effectively developers address identified flaws. Users may also discover detailed information about specific weakness classes to better understand the nature of the bugs and their potential impact on deployment environments. Furthermore, the page allows for a comprehensive look up of a product’s vulnerability history, enabling administrators, security researchers, and auditors to assess risk levels before installation or during routine security reviews. By centralizing this information, the page serves as a reference point for understanding the evolution of security issues in Admidio. It helps stakeholders evaluate whether known vulnerabilities have been patched and whether the current version remains safe for production use. This structured approach supports informed decision-making regarding software adoption and maintenance, ensuring that users are aware of past security incidents without relying on fragmented sources.

Vendor: Admidio

CVE IDTitleCVSSSeverityPublished
CVE-2018-25370 Admidio 3.3.5 Cross-Site Request Forgery via roles_function.php CWE-352 5.3 Medium2026-05-25
CVE-2026-42194 Incomplete fix for CVE-2026-32812: SSRF in admidio CWE-918 6.8 Medium2026-05-07
CVE-2026-41671 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation CWE-287 6.8 Medium2026-05-07
CVE-2026-41670 Admidio: SAML Response Sent to Unvalidated Assertion Consumer Service URL from AuthnRequest CWE-20 8.2 High2026-05-07
CVE-2026-41669 Admidio: SAML Signature Validation Result Ignored — Forged AuthnRequests and LogoutRequests Processed CWE-347 8.2 High2026-05-07
CVE-2026-41663 Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send CWE-352 3.5 Low2026-05-07
CVE-2026-41662 Admidio: Missing Minimum Administrator Check in Role Membership Removal CWE-754 5.2 Medium2026-05-07
CVE-2026-41661 Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion CWE-79 6.1 Medium2026-05-07
CVE-2026-41660 Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP CWE-863 7.1 High2026-05-07
CVE-2026-41659 Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment CWE-200 2.7 Low2026-05-07
CVE-2026-41658 Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items CWE-862 6.5 Medium2026-05-07
CVE-2026-41657 Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php CWE-863 4.9 Medium2026-05-07
CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read CWE-22 4.5 Medium2026-05-07
CVE-2026-41655 Admidio: Path Traversal in ECard Preview Allows Reading Arbitrary Server Files Including Database Credentials CWE-22 6.5 Medium2026-05-07
CVE-2026-34384 Admidio: Missing CSRF Protection on Registration Approval Actions CWE-352 4.5 Medium2026-03-31
CVE-2026-34383 Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter CWE-20 4.3 Medium2026-03-31
CVE-2026-34382 Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php CWE-352 4.6 Medium2026-03-31
CVE-2026-34381 Admidio: Unauthenticated Access to Role-Restricted documents via neutralized .htaccess CWE-284 7.5 High2026-03-31
CVE-2026-32813 Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter) CWE-89 8.0 High2026-03-20
CVE-2026-32817 Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion CWE-862 9.1 Critical2026-03-20
CVE-2026-32812 Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint CWE-918 6.8 Medium2026-03-20
CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection CWE-79 5.4 Medium2026-03-19
CVE-2026-32756 Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module CWE-434 8.8 High2026-03-19
CVE-2026-32818 Admidio is Missing Authorization on Forum Topic and Post Deletion CWE-862 6.5 Medium2026-03-19
CVE-2026-32816 Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions CWE-352 5.7 Medium2026-03-19
CVE-2026-32755 Admidio is Missing CSRF Protection on Role Membership Date Changes CWE-352 5.7 Medium2026-03-19
CVE-2026-30927 Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter CWE-639 5.4AIMediumAI2026-03-09
CVE-2025-62617 Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality CWE-89 7.2 High2025-10-22
CVE-2024-47836 Admidio vulnerable to HTML Injection In The Messages Section CWE-502 3.5 Low2024-10-16
CVE-2024-38529 Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment CWE-434 9.1 Critical2024-07-29

All 34 known CVE vulnerabilities affecting Admidio with full Chinese analysis, references, and POCs where available.