Low severity3.5GHSA Advisory· Published May 7, 2026· Updated May 7, 2026

CVE-2026-41663

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
admidio/admidioPackagist	< 5.0.9	5.0.9

Affected products

Admidio/AdmidioGHSA
Range: <= 5.0.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rw74-vc9h-534jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41663ghsaADVISORY
github.com/Admidio/admidio/releases/tag/v5.0.9nvdWEB
github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534jnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000