CVE-2026-41661 - Vulnerability Details

- Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9.

Published: 2026-05-07

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Admidio’s system/msg_window.php fails to properly encode user input. The function htmlspecialchars() is used but it does not affect square brackets, which later Language::prepareTextPlaceholders() turns into angle brackets. As a result an attacker can embed arbitrary JavaScript that runs in the victim’s browser, enabling theft of credentials, session hijacking or defacement. The flaw is a client‑side injection (CWE‑79) that affects confidentiality and integrity of the application state.

Affected Systems

Any deployment of the Admidio open‑source user management solution with a version older than 5.0.9 is vulnerable. The vulnerability was fixed in the 5.0.9 release; earlier releases remain at risk.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. Although no EPSS value is provided and the flaw is not listed in CISA’s KEV catalog, the remote, unauthenticated nature of the exploit means any user who can load the affected page could be compromised. Attackers would need only to craft a URL or form that triggers the payload. The impact is limited to the victim’s browser, not the server itself, but the attacker can still extract or alter data carried by the user.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Admidio

admidio

affected

Version	Status	Constraints
`< 5.0.9`	affected	—

No data.

Vendor Product Confidence Versions

Admidio

100%

Version	Status	Scheme	Platform
`[0,5.0.9)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Admidio to version 5.0.9 or newer.
If upgrading is not immediately possible, block direct access to system/msg_window.php or ensure that all user input is processed with a sanitization routine that removes or encodes square brackets before placeholders are prepared.
Monitor web traffic for unexpected scripts and review application logs for unusual XSS attempts.

Generated by OpenCVE AI on May 7, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-gq27-fc8w-vcmp	Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Admidio/admidio/releases/tag/v5.0.9
https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp

History

Thu, 07 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Admidio Admidio admidio
Vendors & Products		Admidio Admidio admidio

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9.
Title		Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion
Weaknesses		CWE-79
References		https://github.com/Admidio/admidio/releases/tag/v5.0.9 https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Admidio Admidio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T02:59:34.649Z

Updated: 2026-05-07T14:58:41.314Z

Reserved: 2026-04-21T23:58:43.803Z

Link: CVE-2026-41661

Vulnrichment

Updated: 2026-05-07T13:55:47.499Z

NVD

Status : Deferred

Published: 2026-05-07T04:16:29.920

Modified: 2026-05-07T16:16:20.270

Link: CVE-2026-41661

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T05:30:22Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object