6.1
CVE-2026-41661 - Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion
Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode sโฆ
7.1
CVE-2026-41660 - Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP
Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A grouโฆ
2.7
CVE-2026-41659 - Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment
Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While tโฆ
6.5
CVE-2026-41658 - Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated Uโฆ
Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for itemโฆ
4.9
CVE-2026-41657 - Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php
Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requirinโฆ
4.5
CVE-2026-41656 - Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Serโฆ
Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF prโฆ
6.5
CVE-2026-41655 - Admidio: Path Traversal in ECard Preview Allows Reading Arbitrary Server Files Including Database Cโฆ
Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../โฆ
6.5
CVE-2026-4807 - Appointment Booking Calendar <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modificationโฆ
The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin expoโฆ
3.7
CVE-2026-44600 - Mismanaged Queue State Leading to Potential Denial of Service in Tor
Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.
3.7
CVE-2026-44599 - Tor Conflux Leg Vulnerability Allowing Unauthorized BEGIN_DIR Handling
Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.