CVE-2026-34382 | THREATINT

Description

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.

PUBLISHED Reserved 2026-03-27 | Published 2026-03-31 | Updated 2026-04-01 | Assigner GitHub_M

MEDIUM: 4.6CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Problem types

CWE-352: Cross-Site Request Forgery (CSRF)

Product status

>= 5.0.0, < 5.0.8

affected

References

github.com/...dmidio/security/advisories/GHSA-g3mx-8jm6-rc85

github.com/...ommit/317ec91ad3baf19d4179db6c32413812eb36d7ca

cve.org (CVE-2026-34382)

nvd.nist.gov (CVE-2026-34382)

Download JSON