CVE-2026-30498
Description
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AdminPanel 4.0's delete.php endpoint lacks CSRF protection, enabling an attacker to force an authenticated user to delete critical files and reinitialize the application.
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in the delete.php endpoint of AdminPanel 4.0 and prior versions (the project is archived) [1]. The endpoint processes file deletion requests via a GET parameter (file) without any CSRF token, Origin, or Referer header validation [1]. No verification of user intent is performed, and sensitive actions are exposed via GET requests [1].
Exploitation
An attacker hosts a malicious page (e.g., at http://localhost:8081/evil.html) containing a form that auto-submits a GET request to http://localhost:8080/delete.php?file=verifyPanel.php [1]. When an authenticated victim visits the attacker's page, the browser automatically includes the victim's session cookie, and the server executes the deletion [1]. The attacker does not need to steal the session—only to trick a logged-in user into loading the malicious page [1].
Impact
Successful exploitation deletes verifyPanel.php, which is a required authentication file [1]. The application then detects the missing file and enters setup mode, resulting in authentication bypass and full system reinitialization (the attacker can reconfigure the application) [1]. This leads to a complete compromise of confidentiality, integrity, and availability of the application.
Mitigation
The AdminPanel 4.0 project is archived and no longer maintained, so no official patch is available [1]. Users should immediately stop using the application or migrate to an alternative solution. As a workaround, deploy a Web Application Firewall (WAF) with rules to block requests to delete.php from untrusted origins, but this is not a complete fix [1]. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protections on the delete.php endpoint allows an attacker to forge authenticated file-deletion requests."
Attack vector
An attacker hosts a malicious page that sends a forged GET request to `http://localhost:8080/delete.php?file=verifyPanel.php`. When an authenticated victim visits the attacker's page, the browser automatically attaches the victim's session cookie, and the server executes the deletion without verifying the request's origin [ref_id=1]. The absence of CSRF token validation, Origin/Referer header checks, and any user-intent confirmation allows this cross-origin attack to succeed [ref_id=1].
Affected code
The vulnerable endpoint is `delete.php` in AdminPanel 4.0. It accepts a `file` parameter via GET request and performs file deletion based on the user's session without any CSRF protection [ref_id=1].
What the fix does
No patch is published for this archived project. The advisory recommends implementing CSRF protections: adding CSRF token validation on the `delete.php` endpoint, verifying Origin or Referer headers, changing the sensitive action from GET to POST, and adding a confirmation step to verify user intent [ref_id=1].
Preconditions
- authVictim must be authenticated with an active session cookie on the AdminPanel server
- networkAttacker must host a web page reachable by the victim (e.g., http://localhost:8081/evil.html)
- inputVictim must visit the attacker's malicious page while authenticated
Reproduction
1. Start the victim AdminPanel server (e.g., on localhost:8080). 2. Log in as an authenticated user. 3. Open the attacker's malicious page at http://localhost:8081/evil.html. 4. The page contains a form that auto-submits a GET request to `http://localhost:8080/delete.php?file=verifyPanel.php`. 5. Return to the dashboard — `verifyPanel.php` has been deleted and the application enters setup mode [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.