Multiple Authorization and CSRF Vulnerabilities in Admidio
Several newly disclosed Admidio vulnerabilities allow unauthorized or improperly authorized state-changing actions in core modules handling roles, documents, and forums. One flaw in modules/groups-roles/groups_roles.php is a CSRF issue that can let an attacker trick an authenticated user with rol_assign_roles privileges into activating, deactivating, or deleting organizational roles because the server does not properly enforce anti-CSRF validation for some sensitive requests. Additional Admidio issues stem from missing authorization checks on destructive actions, allowing operations to proceed after insufficient validation.
In the documents module, modules/documents-files.php uses read-access checks such as getFolderForDownload() and getFileForDownload() before executing folder_delete and file_delete, which can let any user who can view a file or folder delete it; in public-mode configurations, that can extend to unauthenticated deletion of public content. In the forum module, modules/forum.php validates a CSRF token for topic_delete and post_delete actions but fails to verify whether the requester is actually authorized to delete the targeted content, enabling arbitrary forum post or topic deletion. A separate disclosure affecting Campus Educativa describes an IDOR at /administracion/admin_usuarios.cgi that exposes enrolled-user data through brute-forced course IDs, but that is a different product and incident and should be treated separately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-32756 publicly disclosed for Admidio file upload bypass
Details were published for CVE-2026-32756, describing a critical unrestricted file upload vulnerability in Admidio's Documents & Files module. The disclosure stated that exploitation could enable arbitrary file upload, server compromise, data exfiltration, and lateral movement.
Admidio unrestricted file upload flaw fixed in version 5.0.7
A critical unrestricted file upload vulnerability affecting Admidio 5.0.6 and earlier was addressed in Admidio version 5.0.7. The flaw allowed an authenticated user with upload permissions to bypass file extension restrictions via invalid CSRF token handling, potentially leading to remote code execution.
Admidio flaws disclosed affecting role, document, and forum deletion
Three Admidio vulnerabilities were publicly disclosed: a CSRF issue in role management that can change or delete roles, a missing-authorization and CSRF flaw that allows unauthorized document or folder deletion, and an authorization bypass that permits arbitrary forum topic and post deletion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-32756 - Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
cvefeed.io
Open sourceGHSA-WWG8-6FFR-H4Q2: GHSA-wwg8-6ffr-h4q2: Cross-Site Request Forgery in Admidio Role Management | CVEReports
cvereports.com
Open sourceGHSA-RMPJ-3X5M-9M5F: GHSA-RMPJ-3X5M-9M5F: Missing Authorization and CSRF in Admidio Document Deletion | CVEReports
cvereports.com
Open sourceGHSA-G375-5WMP-XR78: GHSA-g375-5wmp-xr78: Missing Authorization Allows Arbitrary Forum Deletion in Admidio | CVEReports
cvereports.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated RCE in com_mb24sysapi and High-Severity CSRF in DedeCMS
A newly recorded vulnerability, **CVE-2026-32968**, affects the `com_mb24sysapi` module and allows **unauthenticated remote code execution** through an OS command injection flaw. The weakness is classified as **CWE-78** and stems from improper neutralization of special elements in OS commands, enabling a remote attacker to execute arbitrary commands and potentially take full control of an affected system. The CVE is described as a variant of `CVE-2020-10383`, carries a **CVSS v3.1** vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, and is referenced by CERT VDE advisories **VDE-2026-024** and **VDE-2026-025**. A separate high-severity issue, **CVE-2026-29839**, was recorded for **DedeCMS v5.7.118** in the `/sys_task_add.php` component. The flaw is a **Cross-Site Request Forgery** vulnerability classified as **CWE-352**, and its updated **CVSS v3.1** vector is `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating that successful exploitation could significantly affect confidentiality, integrity, and availability. The record includes references to a public gist and the DedeCMS website, highlighting another internet-exposed web application weakness with potentially serious impact.
Mar 24, 2026
Multiple XenForo Flaws Expose Forums to RCE, Scope Abuse, and Template Bypass
XenForo disclosed and patched three high-severity vulnerabilities affecting multiple 2.2 and 2.3 releases, including **remote code execution**, **OAuth2 authorization abuse**, and a **template method call restriction bypass**. The most severe issue, `CVE-2026-35056`, allows an authenticated but malicious administrator with admin control panel access to execute arbitrary code on the server, affecting versions before **2.3.9** and **2.2.18**. The flaw is classified as `CWE-94` and carries a high-impact CVSS vector indicating compromise of confidentiality, integrity, and availability. Two additional XenForo flaws affect authorization controls in the platform. `CVE-2025-71278` impacts versions before **2.3.5** and allows OAuth2 client applications to request unauthorized scopes, potentially granting access beyond intended permissions; it is mapped to `CWE-863`. `CVE-2025-71281` affects versions before **2.3.7** and stems from a loose prefix match in template callback and variable method-call handling, enabling unauthorized method invocation from templates. XenForo addressed the issues in security releases **2.3.5**, **2.3.7**, **2.3.9**, and **2.2.18**, with advisories also published by VulnCheck.
Apr 1, 2026
IDOR Flaws in MphRx Minerva Expose User Data and Enable Account Takeover
MphRx's **Minerva 3.6.0** was found to contain two high-severity insecure direct object reference vulnerabilities, tracked as `CVE-2026-5779` and `CVE-2026-5780`, that let authenticated users bypass authorization controls. The first issue affects the `/minerva/user/updateUserProfile` endpoint and allows a logged-in user to modify another registered user's profile information. The second affects `/minerva/moUser/show/`, where changing an ID parameter can expose other users' data, including user listings, without proper access checks. The profile-modification flaw can be chained with the `/webconnect/#/forgotPassword` function to trigger password resets for other users, creating a path to full account takeover. Both CVEs were classified under **CWE-284** and published through CVE records referencing an **INCIBE-CERT** advisory on multiple vulnerabilities in Minerva, with scoring that indicates low attack complexity, low privileges required, and significant confidentiality and integrity impact.
May 24, 2026