CVE-2026-32813 in admidioinfo

Summary

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Responsible

GitHub_M

Reservation

03/16/2026

Disclosure

03/20/2026

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilityCWEExpCouCVE
351837admidio sql injection89Not definedOfficial fixCVE-2026-32813

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!