CVE-2026-34383

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.8

Description The inventory module's item save endpoint is susceptible to a bypass of both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data without CSRF protection and without the field value checks normally enforced. The issue stems from the item save endpoint accepting a user-controllable POST parameter imported which, when set to true, disables these security measures. Specifically, the code reads the imported parameter from POST input and passes it to ItemService. Inside ItemService::save(), the postImported flag bypasses CSRF and form validation, allowing raw $ POST values to be used directly for saving data. This bypass enables attackers to execute Cross-Site Request Forgery (CSRF) attacks and potentially inject malicious code, such as scripts, into the inventory data.

Recommendations Versions prior to 5.0.8: Remove the imported parameter bypass from the save logic, or at minimum always validate the CSRF token regardless of the imported flag. Alternatively, the imported flag should only be set by the import workflow itself, rather than being controllable via direct POST input.