CVE-2026-42194

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetchmetadata.php validates the resolved IP address but passes the original hostname-based URL to curlinit, leaving a DNS rebinding TOCTOU window that allows redirecting requests to...

CVE-2026-41658 Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations delete, retire, reinstate only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for...

EUVD-2026-28266

Admidio is an open-source user management solution. Prior to version 5.0.9, the contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring...

CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

Improper Check for Unusual or Exceptional Conditions

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the stopMembership function. An attacker can cause a denial of administrative...

MAL-2025-49318 Malicious code in stark-recurser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54520ff73a8cd962cb9ab3db426b6c93987e6b616edf752e0e5f6f346293af1b The package stark-recurser was found to contain malicious code. Source: ossf-package-analysis...

CVE-2025-39553 WordPress Church Admin plugin <= 5.0.9 - Sensitive Data Exposure vulnerability

Missing Authorization vulnerability in andymoyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9...

CVE-2025-39553

CVE-2025-39553 (Church Admin plugin) details : A Missing Authorization vulnerability affects WordPress Church Admin instances using versions from unknown up to 5.0.9. The CVE entry indicates potential unauthorized access leading to data exposure (the vulnerability is categorized as Missing Author...

WordPress AutomatorWP plugin <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value vulnerability

Reflected Cross-Site Scripting via a-0-o-searchfieldvalue vulnerability discovered by Vincent Fourcade vinceMatsui in WordPress Plugin AutomatorWP versions = 5.0.9...

X2Engine X2CRM Cross-Site Scripting Vulnerability

X2Engine X2CRM is the United States X2Engine company's set of open source customer relationship management program CRM. A cross-site scripting vulnerability exists in X2Engine X2CRM versions prior to 5.0.9. A remote attacker can exploit this vulnerability to inject arbitrary Web script or HTML...

The vulnerability of the Red Hat Enterprise Linux operating system allows a remote attacker to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the net-snmp-devel-5.0.9 package for the Red Hat Enterprise Linux operating system can lead to violations of confidentiality, integrity, and accessibility of protected information. This vulnerability can be exploited remotely...