CVE-2026-32813

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.6 and below

Description Admidio, an open-source user management solution, contains a second-order SQL injection flaw within the MyList configuration feature. Authenticated users can define custom list column layouts, storing column names, sort directions, and filter conditions in the adm list columns table. These stored values are later used in dynamically constructed SQL queries without proper sanitization, allowing an attacker to inject arbitrary SQL code. This can lead to full database compromise, including data exfiltration, modification, and potential privilege escalation. The vulnerability exists because user-supplied values for column names, sort directions, and filter conditions are not adequately validated before being stored and subsequently used in SQL queries. Specifically, the lsc special field value is interpolated directly into SQL queries without sufficient validation, and the lsc sort parameter lacks server-side validation. The vulnerability is triggered when the list is viewed, and the injected SQL is executed. The affected functionality involves the addColumn() method and mylist function.php, as well as the ListConfiguration::getSql() function.

Recommendations Versions prior to 5.0.7 are affected. Apply a strict allowlist for the lsc special field parameter before calling addColumn() in mylist function.php. Validate that the lsc sort parameter is one of ASC, DESC, or an empty string before storing it in ListConfiguration::addColumn(). Implement defense-in-depth validation for the lsc special field value within ListConfiguration::getSql() before interpolating it into SQL strings. Escape single quotes in ConditionParser::makeSqlStatement() to prevent injection through filter values.