Description

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.

INFO

Published Date :

2026-03-19T23:12:37.664Z

Last Modified :

2026-03-25T14:48:54.765Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32757 vulnerability.

Vendors Products
Admidio
  • Admidio
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32757.

URL Resource
https://github.com/Admidio/admidio/releases/tag/v5.0.7 cve-icon cve-icon
https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact