CVE-2026-34382

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.0 through 5.0.7

Description The delete mode handler in mylist function.php does not validate a CSRF token before permanently deleting list configurations. An attacker can exploit this by luring an authenticated user to a malicious page, which can result in the silent destruction of the user's list configurations, including organization-wide shared lists if the victim has administrator rights. The vulnerable code is located in the modules/groups-roles/mylist function.php file, specifically within the delete case at lines 159-161, where the delete() function is called without CSRF validation. The vulnerability is triggered by a malicious page containing a form that submits a POST request to the ''/modules/groups-roles/mylist function.php'' endpoint with the mode parameter set to 'delete' and the list uuid parameter set to the target list's UUID. The column[] parameter is also required, but any static value is sufficient. The vulnerable parameter is adm csrf token, which is not checked during the delete operation.

Recommendations Apply the SecurityUtils::validateCsrfToken() pattern to the delete mode handler in mylist function.php, similar to the save modes. Move the column[] input guard to within the in array($getMode, ['save', 'save as', 'save temporary']) block.