CVE-2026-32756

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an...

CVE-2026-32756 Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an...

CVE-2026-32756

CVE-2026-32756 - Admidio : The Red Hat/NVD/OSV/GHSA entries describe a concrete flaw in the Documents & Files module of Admidio (versions ≤ 5.0.6) that allows unrestricted file upload via a CSRF token validation bypass in UploadHandlerFile.php. Root cause: the system saves the uploaded file to di...

PT-2026-26172

Summary The documents and files module in Admidio does not verify whether the current user has permission to delete folders or files. The folder delete and file delete action handlers in modules/documents-files.php only perform a VIEW authorization check getFolderForDownload / getFileForDownload...