{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32813", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.696Z", "datePublished": "2026-03-20T02:09:07.610Z", "dateUpdated": "2026-03-20T14:39:28.844Z"}, "containers": {"cna": {"title": "Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"}, {"name": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": "< 5.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:09:07.610Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7."}], "source": {"advisory": "GHSA-3x67-4c2c-w45m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:39:25.477961Z", "id": "CVE-2026-32813", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:39:28.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32813", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:39:25.477961Z"}}}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:39:19.781Z"}}], "cna": {"title": "Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)", "source": {"advisory": "GHSA-3x67-4c2c-w45m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"status": "affected", "version": "< 5.0.7"}]}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m", "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f", "name": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:09:07.610Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32813", "state": "PUBLISHED", "dateUpdated": "2026-03-20T14:39:28.844Z", "dateReserved": "2026-03-16T17:35:36.696Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:09:07.610Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27", "versionEndExcluding": "5.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort directions, and filter conditions in the adm_list_columns table via prepared statements. However, these stored values are later read back and interpolated directly into dynamically constructed SQL queries without sanitization or parameterization, creating a classic second-order SQL injection vulnerability (safe write, unsafe read). An attacker can exploit this to inject arbitrary SQL, potentially reading, modifying, or deleting any data in the database and achieving full database compromise. This issue has been fixed in version 5.0.7."}], "id": "CVE-2026-32813", "lastModified": "2026-03-23T15:25:42.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:35.210", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Admidio/admidio/commit/3473bf5a7aa1bfc5043e73979719396276f4189f"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-3x67-4c2c-w45m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-03-23T16:53:52.670407+00:00", "value": {"mitigation_remediation": ["Upgrade Admidio to version 5.0.7 or later to fix the second\u2011order SQL injection vulnerability"], "summary": {"action": "Immediate Patch", "impact": "Database Compromise through SQL Injection"}, "threat_synthesis": {"affected_systems": "Admidio versions 5.0.6 and earlier are affected. The issue resides in the MyList configuration feature that permits authenticated users to define custom list layouts.", "description_and_impact": "A second\u2011order SQL injection flaw in Admidio allows an attacker to execute arbitrary SQL commands. The vulnerability is triggered when user\u2011supplied column names, sort orders, and filter conditions are stored via prepared statements but later embedded unsanitized into dynamically constructed SQL queries. Successful exploitation can read, modify, or delete any database content, effectively compromising the entire data store.", "risk_and_exploitability": "The CVSS score of 8 indicates high risk, and the EPSS score below 1% reflects a low probability of exploitation in the wild. The vulnerability is not listed as a known exploited vulnerability by CISA. Attackers would need valid user credentials to configure the list, after which the stored inputs are later used in an unsafe query. Once the second\u2011order injection is triggered, the attacker gains full database control."}}}}, "created": "2026-03-20T08:53:07.120107+00:00", "updated": "2026-03-25T14:09:38.257987+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}