CVE-2026-32813HIGH 8.0EPSS p19.5%

CVE-2026-32813CVE-2026-32813

Description

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS0.28% probability of exploitation · percentile 19.5% · 2026-06-18T12:00:27Z
Published2026-03-20
Last modified2026-03-23

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f
  2. https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m
  3. https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32817
CVE
CVE-2026-32756
CVE
CVE-2025-54119
CVE
CVE-2026-41669
CVE
CVE-2026-41670
CVE
CVE-2026-1367
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.