CVE-2026-32756HIGH 8.8EPSS p57.7%

CVE-2026-32756CVE-2026-32756

Description

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.98% probability of exploitation · percentile 57.7% · 2026-06-18T12:00:27Z
Published2026-03-20
Last modified2026-03-23

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/Admidio/admidio/releases/tag/v5.0.7
  2. https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32817
CVE
CVE-2025-52353
CVE
CVE-2026-32813
CVE
CVE-2025-2005
CVE
CVE-2025-46001
CVE
CVE-2025-9113
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.