CVE-2026-41661

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9.

Vulnerability Details

Published Date

April 29, 2026

Last Modified

May 07, 2026

CWE ID

CWE-79

Source

GitHub

Vendor

composer

Product

admidio/admidio

External References

https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp
https://github.com/advisories/GHSA-gq27-fc8w-vcmp

CVE-2026-41661

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment