Description
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
Published: 2026-03-31
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g3mx-8jm6-rc85 Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user's list configurations — including organization-wide shared lists when the victim holds administrator rights. This issue has been patched in version 5.0.8.
Title Admidio: Missing CSRF Protection on Custom List Deletion in mylist_function.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T20:32:35.032Z

Reserved: 2026-03-27T13:43:14.370Z

Link: CVE-2026-34382

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T21:16:30.180

Modified: 2026-03-31T21:16:30.180

Link: CVE-2026-34382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses