CVE-2026-30498
Deferred Deferred - Pending Action
Cross-Site Request Forgery in Jason2605 AdminPanel

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: MITRE

Description
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30498
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jason2605 adminpanel 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue found in the delete.php endpoint of Jason2605 AdminPanel version 4.0. CSRF vulnerabilities allow an attacker to trick a user into performing unwanted actions on a web application in which they are authenticated, potentially causing unintended operations such as deleting data.

Impact Analysis

Exploitation of this CSRF vulnerability could allow an attacker to cause an authenticated user to unknowingly execute delete operations via the delete.php endpoint. This could lead to unauthorized deletion of data or resources within the Jason2605 AdminPanel, potentially resulting in data loss or disruption of service.

Mitigation Strategies

Immediate mitigation steps include implementing CSRF protections on the delete.php endpoint.

  • Add CSRF token validation to ensure requests are legitimate and initiated by authenticated users.
  • Restrict the delete.php endpoint to accept only POST requests instead of GET requests.
  • Enforce Origin and Referer header checks to verify that requests come from trusted sources.

Upgrading to the fixed version (delete_fixed.php) that includes these protections is recommended.

Compliance Impact

The CVE-2026-30498 vulnerability is a Cross-Site Request Forgery (CSRF) issue that allows attackers to perform unauthorized actions such as file deletion and potentially full system compromise by exploiting the lack of CSRF protections in the delete.php endpoint of AdminPanel 4.0.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow unauthorized access or modification of critical files and system compromise can lead to violations of data protection and security requirements mandated by such regulations.

Specifically, failure to protect against CSRF attacks may result in unauthorized data manipulation or loss, which could impact the confidentiality, integrity, and availability of personal or sensitive data, thereby affecting compliance with regulations that require strict access controls and data protection measures.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious requests to the delete.php endpoint of AdminPanel 4.0 that lack proper CSRF protections.

Since the vulnerability involves forged GET requests that trigger file deletions without user consent, you can look for unusual GET requests to delete.php in your web server logs.

Commands to help detect this include using tools like grep or curl to inspect logs or test the endpoint:

  • grep 'GET /delete.php' /var/log/apache2/access.log
  • curl -I http://yourserver/delete.php

Additionally, testing whether delete.php accepts GET requests without CSRF tokens or Origin/Referer checks can help confirm the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30498. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart