CVE-2026-41655

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description The 'ecard preview.php' endpoint fails to validate that the ecard template POST parameter is a safe filename before it is processed by the getEcardTemplate() function. An authenticated user can exploit this by providing a path traversal payload, such as ../config.php, to read arbitrary files accessible to the web server process. This can lead to the disclosure of sensitive information, including database credentials stored in adm my files/config.php, application source code, and system files.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the 'ecard preview.php' endpoint or avoid using the ecard template parameter until the update is applied.