PT-2026-37147 · Admidio · Admidio

Adrgs

Published

2026-04-29

Updated

2026-05-07

CVE-2026-41663

CVSS v3.1

3.5

Low

Vector

AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description Several administrative operations within the preferences module are executed via GET requests without CSRF token validation. This allows an attacker to force an authenticated administrator to trigger these actions by visiting a malicious page, as SameSite=Lax cookies are included in top-level GET navigations. The affected operations are located in the 'modules/preferences.php' file under the following modes:

'backup': Triggers a full database dump, which can cause disk I/O and storage pressure on the server.
'test email': Sends a test email from the server, which could be abused for spam or probing internal email infrastructure.
'htaccess': Overwrites the .htaccess file on the server, potentially disrupting URL routing or disabling security headers.

Recommendations Update to version 5.0.9.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2026-41663

GHSA-RW74-VC9H-534J

Affected Products

Admidio

PT-2026-37147 · Admidio · Admidio

CVE-2026-41663

Weakness Enumeration

Related Identifiers

Affected Products

References · 8