CVE-2026-41656

CVE-2026-41656 (Admidio) : Prior to 5.0.9, the add mode of modules/documents-files.php accepts a name parameter with only string-based HTML encoding validation, allowing path traversal (../) and, combined with absent CSRF protection and SameSite=Lax cookies, enables a low-privilege attacker to tr...

CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read

Summary The add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a...

GHSA-M9H6-8PQM-XRHF Admidio has Path Traversal via Unvalidated `name` Parameter in Document Add Mode that Enables Arbitrary Server File Read

Summary The add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a...

GYM-MANAGEMENT-SYSTEM 安全漏洞

GYM-MANAGEMENT-SYSTEM is a gym management system by Abhishek S Personal Developer. A security vulnerability exists in GYM-MANAGEMENT-SYSTEM version 1.0, which stems from the unvalidated name parameter in membersearch.php, trainersearch.php, and gymsearch.php, and the id parameter in...

Open Source Point of Sale 安全漏洞

Open Source Point of Sale is a web-based point of sale system. A security vulnerability exists in Open Source Point of Sale version 3.4.1, which stems from an unvalidated name parameter and could lead to a cross-site scripting attack...

Q2A Ultimate SEO 跨站脚本漏洞

Q2A Ultimate SEO is a component of the Q2A Projects team that provides search engine optimization functionality for Question2Answer. A cross-site scripting vulnerability exists in Q2A Ultimate SEO that stems from insufficient validation of the name parameter input in /products//edit, which could...

Simple Chat System 代码注入漏洞

Chat System is a chat system. Chat System suffers from a cross-site scripting vulnerability that stems from a lack of sufficient validation and escaping of the name parameter input in the file /admin/updateuser.php. The vulnerability can be exploited to conduct a cross-site scripting attack by...

ThinkSAAS 安全漏洞

ThinkSAAS is ThinkSAAS open source a code completely open source , flexible and open building system program . ThinkSAAS version 3.7.0 SQL injection vulnerability exists , the vulnerability stems from the name parameter in the systemactionupdate.php lack of validation of external input SQL...

PT-2023-29498 · Unknown · Online Food Ordering System

Name of the Vulnerable Software and Affected Versions: Online Food Ordering System version 1.0 Description: The issue concerns multiple Unauthenticated SQL Injection vulnerabilities. The name parameter of the "routers/add-item.php" resource does not validate the characters received and they are...