CVE-2026-41655

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9.

Vulnerability Details

Published Date

April 29, 2026

Last Modified

May 07, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

composer

Product

admidio/admidio

External References

https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx
https://github.com/advisories/GHSA-m3vp-3jjm-gpmx

CVE-2026-41655

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment