CVE-2026-41656

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description An issue exists in the 'add' mode of the 'modules/documents-files.php' endpoint where the name parameter is validated only as a string, allowing path traversal characters such as ../ to pass unfiltered. Due to the absence of CSRF protection on this endpoint and the use of SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link. This action registers an arbitrary server file, such as 'install/config.php' which may contain database credentials, into a documents folder accessible to the attacker, leading to arbitrary server file read.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the 'modules/documents-files.php' endpoint or avoid using the name parameter in the 'add' mode until the update is applied.