Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Description
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Admidio 5.0.6 and below, the eCard handler uses unsanitized POST data instead of HTMLPurifier output, enabling authenticated HTML/JS injection into emails.
Vulnerability
Overview
CVE-2026-32757 is a server-side HTML injection vulnerability in the eCard feature of Admidio, an open-source user management system. The root cause is a coding error in ecard_send.php: the raw $_POST['ecard_message'] value is captured on line 38 before form validation runs, and this unsanitized value is later passed to parseEcardTemplate() on lines 159 and 201. The properly HTMLPurifier-sanitized value stored in $formValues['ecard_message'] is never used for the email content [1][2].
Exploitation and
Attack Surface
An authenticated attacker can craft a malicious ecard_message payload containing arbitrary HTML and JavaScript. Because the raw POST value bypasses HTMLPurifier, the injected content is placed directly into the greeting card HTML template without any encoding—unlike recipient fields which are properly encoded via SecurityUtils::encodeHTML() [2]. The attacker then sends the eCard to any member or role, and the malicious content is delivered to the recipient's email client. No special network position is required beyond a valid login [1].
Impact
Successful exploitation allows an attacker to inject phishing content, fake login forms, or other social engineering attacks into legitimate-looking greeting card emails. Since the email originates from the trusted Admidio trusted Admidio server, recipients are more likely to trust the content, increasing the effectiveness of the attack. The vulnerability crosses from the web application into the email client, potentially compromising other users' credentials or sensitive information [1][2].
Mitigation
The vulnerability is fixed in Admidio version 5.0.7, released on 2026-03-19 [4]. Users running 5.0.6 or earlier should upgrade immediately. No workaround is documented; the fix ensures the sanitized $formValues['ecard_message'] is used instead of the raw POST value [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
admidio/admidioPackagist | < 5.0.7 | 5.0.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4wr4-f2qf-x5wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32757ghsaADVISORY
- github.com/Admidio/admidio/releases/tag/v5.0.7ghsax_refsource_MISCWEB
- github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.