6.8
CVE-2026-42194
- EPSS 0.24%
- Veröffentlicht 07.05.2026 04:16:34
- Zuletzt bearbeitet 07.05.2026 16:16:20
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Incomplete fix for CVE-2026-32812: SSRF in admidio
Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerAdmidio
≫
Produkt
admidio
Version
< 5.0.9
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.143 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.8 | 2.3 | 4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/Admidio/admidio/releases/tag/v5.0.9
https://github.com/Admidio/admidio/security/advisories/GHSA-hcjj-chvw-fmw9