Skip to main content

Froshadminer CVE-2026-25878

MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-02-09 security-advisories@github.com GHSA-f339-246p-wwjp
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 28, 2026 - 00:18 nvd
Patch available
CVE Published
Feb 09, 2026 - 21:15 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.

AnalysisAI

Froshadminer versions up to 2.2.1 is affected by missing authentication for critical function (CVSS 5.3).

Technical ContextAI

This vulnerability (CWE-306: Missing Authentication for Critical Function) affects Froshadminer. FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 2.2.1.. Restrict network access to the affected service where possible.

Share

CVE-2026-25878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy