CVE-2026-34382: Admidio has Missing CSRF Protections on Custom List Deletion in mylist_function.php
(updated )
The delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently destroy that user’s list configurations — including organization-wide shared lists when the victim holds administrator rights.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-34382 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →