CVE-2026-41661

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9

Description An unauthenticated attacker can execute arbitrary JavaScript in a user's browser via reflected Cross-Site Scripting (XSS). The issue occurs in the 'system/msg window.php' endpoint, which accepts message id and message var1 as GET parameters. The application processes message var1 using htmlspecialchars(), which does not encode square brackets. Subsequently, the Language::prepareTextPlaceholders() function converts these square brackets into HTML angle brackets, resulting in executable markup. This allows an attacker to bypass encoding and run scripts in the context of the Admidio origin, potentially leading to session cookie theft or unauthorized administrative operations.

Recommendations Update to version 5.0.9. As a temporary workaround, restrict access to the 'system/msg window.php' endpoint to minimize the risk of exploitation.