CVE-2026-32757

Name of the Vulnerable Software and Affected Versions Admidio versions 5.0.6 and below

Description Admidio, an open-source user management solution, has an issue in the eCard send handler. The handler utilizes a raw $ POST['ecard message'] value instead of the HTMLPurifier-sanitized $formValues['ecard message'] when constructing the HTML for greeting cards. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into emails sent to other members, bypassing the server-side HTMLPurifier sanitization applied during form validation. The vulnerability resides in the ecard send.php file, specifically where the raw POST value is captured before form validation. The parseEcardTemplate() function in ECard.php places the message directly into the HTML template without encoding, further enabling the injection. The issue impacts the delivery of HTML emails and potentially database storage of the content. An attack could result in members receiving phishing content that appears legitimate, effectively crossing from the web application into recipients' email clients.

Recommendations Versions 5.0.6 and below: In ecard send.php, use the sanitized $formValues['ecard message'] instead of the raw $ POST['ecard message']. Additionally, in ECard::parseEcardTemplate(), apply encoding to the message placeholder as a defense-in-depth measure.