Reflected XSS Vulnerability in Admidio User Management Solution
CVE-2026-41661

6.1MEDIUM

Key Information:

Vendor: Admidio
Status: Admidio
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41661?

Admidio, an open-source user management solution, is vulnerable to reflected Cross-Site Scripting (XSS) prior to version 5.0.9. This flaw allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers via the 'system/msg_window.php' endpoint. The vulnerability arises from improper handling of user input, where square brackets are not properly encoded, enabling malicious script execution. This issue has been addressed and patched in version 5.0.9.

Affected Version(s)

admidio < 5.0.9

References

https://github.com/Admidio/admidio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/Admidio/admidio/releases/tag/v5.0.9

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41661 Data

JSON