8.8

CVE-2026-32756

Exploit

EPSS 0.04%
Veröffentlicht 19.03.2026 23:08:03
Zuletzt bearbeitet 23.03.2026 16:51:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Admidio ≫ Admidio Version < 5.0.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.108

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://github.com/Admidio/admidio/releases/tag/v5.0.7

Patch

Product

https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-32756

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32756

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32756

EUVD