CVE-2026-32816 Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF...

CVE-2026-32816

CVE-2026-32816 affects Admidio 5.0.0–5.0.6 where delete, activate, and deactivate for groups_roles.php do not validate CSRF tokens. The client sends a CSRF token via adm_csrf_token, but server handlers ignore it for these modes, enabling a forged request to permanently delete roles and cascade re...

CVE-2026-32816 Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF...

CVE-2026-32816 Admidio has Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF...

Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Summary The delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement, which includes it in the POST body, but the...

GHSA-WWG8-6FFR-H4Q2 Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Summary The delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement, which includes it in the POST body, but the...

PT-2026-26171

Summary The delete, activate, and deactivate modes in modules/groups-roles/groups roles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement, which includes it in the POST body, but the...

Improper Preservation of Permissions

Overview Affected versions of this package are vulnerable to Improper Preservation of Permissions due to the improper removal of ClusterRoleBinding objects when a custom administrative global role or its binding is deleted. An attacker can retain unauthorized access to clusters by leveraging...

EUVD-2015-7626

Malware in sbrugna...

EUVD-2023-42747

Malicious code in bioql PyPI...

EUVD-2022-3234

Malicious code in bioql PyPI...

EUVD-2022-5864

Malicious code in bioql PyPI...

CVE-2020-13341

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Insufficient permission check allows attacker with developer role to perform various deletions...

CVE-2024-39408 Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352)

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery CSRF vulnerability that could allow an attacker to bypass security features and perform minor integrity changeson behalf of a user. The vulnerability could be exploited by...

CVE-2022-4016 Booster for WooCommerce - Custom Role Creation/Deletion via CSRF

The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.6, Booster Elite for WooCommerce WordPress plugin before 1.1.8 does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins...

GHSA-PPQ7-88C7-Q879 Cross-Site Request Forgery in PiranhaCMS

In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery CSRF when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known...

PyPI Python Package Repository Patches Critical Supply Chain Flaw

The maintainers of Python Package Index PyPI last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were discovered and reported by Japanes...

GaussDB Kernel: Checking the POLADMIN Permission

A role with the POLADMIN permission can create resource labels, anonymization policies, and unified audit policies. To avoid arbitrary security policy creation, delete roles that do not require the POLADMIN permission. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be...

GaussDB Kernel: Checking the OPRADMIN Permission

A role with the OPRADMIN permission can use Roach to perform backup and restoration. To avoid arbitrary database file backup, delete roles that do not require the OPRADMIN permission. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and...

CVE-2015-7726

Cross-site scripting XSS vulnerability in role deletion in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allows remote authenticated users to inject arbitrary web script or HTML via the role name, aka SAP Security Note 2153898...