CVE-2026-41663

Source
https://cve.org/CVERecord?id=CVE-2026-41663
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41663.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41663
Aliases
Published
2026-05-07T03:00:11.696Z
Modified
2026-07-08T08:13:13.395364767Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
Summary
Admidio: CSRF on Admin Preferences Triggers Unauthorized Backup, .htaccess Write, and Email Send
Details

Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41663.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Git / github.com/admidio/admidio

Affected ranges

Type
GIT
Repo
https://github.com/admidio/admidio
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.0.9"
        }
    ]
}

Affected versions

3.*
3.0-Beta.1
3.0-Beta.3
v3.*
v3.0.6
v3.1.5
v3.2-Beta.1
Other
v34
v4.*
v4.0-Beta.1
v4.1-Beta.2
v4.3-Beta.1
v5.*
v5.0-Beta.1
v5.0-Beta.2
v5.0-Beta.3
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41663.json"