Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Admidio Critical File Upload Risk: Arbitrary File Types Can Be Uploaded
GHSA-95cq-p4w2-32w5
CVE-2026-32756
Summary
An attacker with upload permissions in Admidio can upload PHP scripts or other unauthorized file types, potentially allowing them to execute code on the server. This is a serious risk because it could give an attacker control over the server. To protect yourself, ensure that you are running the latest version of Admidio and take steps to validate user uploads carefully.
What to do
- Update admidio admidio to version 5.0.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| admidio | admidio | <= 5.0.6 | 5.0.7 |
Original title
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how C...
Original description
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution on the server, resulting in full server compromise, data exfiltration, and lateral movement. This issue has been fixed in version 5.0.7.
ghsa CVSS3.1
8.8
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 16 Mar 2026