CVE-2026-41661 MEDIUM

CVE-2026-41661: Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Vendor Admidio

Product admidio

Weakness CWE-79 · XSS

Published May 7, 2026

Last update May 7, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9.

Key dates

Disclosure timeline

May 7, 2026 CVE published

May 7, 2026 Record updated