{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32757", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.532Z", "datePublished": "2026-03-19T23:12:37.664Z", "dateUpdated": "2026-03-25T14:48:54.765Z"}, "containers": {"cna": {"title": "Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj"}, {"name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"version": "< 5.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:12:37.664Z"}, "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7."}], "source": {"advisory": "GHSA-4wr4-f2qf-x5wj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:48:15.625356Z", "id": "CVE-2026-32757", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:48:54.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32757", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:48:15.625356Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:48:45.363Z"}}], "cna": {"title": "Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection", "source": {"advisory": "GHSA-4wr4-f2qf-x5wj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Admidio", "product": "admidio", "versions": [{"status": "affected", "version": "< 5.0.7"}]}], "references": [{"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj", "name": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "name": "https://github.com/Admidio/admidio/releases/tag/v5.0.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:12:37.664Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32757", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:48:54.765Z", "dateReserved": "2026-03-13T18:53:03.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:12:37.664Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admidio:admidio:*:*:*:*:*:*:*:*", "matchCriteriaId": "3347E657-D132-4D87-A355-391136657A27", "versionEndExcluding": "5.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7."}, {"lang": "es", "value": "Admidio es una soluci\u00f3n de gesti\u00f3n de usuarios de c\u00f3digo abierto. En las versiones 5.0.6 e inferiores, el gestor de env\u00edo de eCard utiliza un valor $_POST['ecard_message'] sin procesar en lugar del $formValues['ecard_message'] saneado por HTMLPurifier al construir el HTML de la tarjeta de felicitaci\u00f3n. Esto permite a un atacante autenticado inyectar HTML y JavaScript arbitrarios en correos electr\u00f3nicos de tarjetas de felicitaci\u00f3n enviados a otros miembros, eludiendo el saneamiento de HTMLPurifier del lado del servidor que se aplica correctamente al campo ecard_message durante la validaci\u00f3n del formulario. Un ataque puede resultar en que cualquier miembro o rol reciba contenido de phishing que parezca leg\u00edtimo, pasando de la aplicaci\u00f3n web a los clientes de correo electr\u00f3nico de los destinatarios. Este problema ha sido solucionado en la versi\u00f3n 5.0.7."}], "id": "CVE-2026-32757", "lastModified": "2026-03-23T16:52:29.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:16.930", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Admidio/admidio/releases/tag/v5.0.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-4wr4-f2qf-x5wj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "admidio", "source": "cna", "vendor": "Admidio"}, "product": "admidio", "vendor": "admidio"}], "analysis": {"en": {"generated_at": "2026-03-23T18:29:13.048099+00:00", "value": {"mitigation_remediation": ["Update to Admidio version 5.0.7 or later as recommended by the vendor.", "If an upgrade cannot be applied immediately, disable or restrict the eCard sending feature to trusted users only and closely monitor eCard activity.", "Review application logs for suspicious eCard messages and audit user permissions for eCard sending.", "Apply any custom patches that re\u2011enforce HTMLPurifier sanitization on the eCard_message field if custom code has been added."], "summary": {"action": "Immediate Patch", "impact": "Email Injection / Phishing"}, "threat_synthesis": {"affected_systems": "Admidio, the open\u2011source user management solution. All installations of version 5.0.6 and earlier are vulnerable. The issue is resolved in version 5.0.7. The CNA identified the affected vendor/product as Admidio:admidio.", "description_and_impact": "The vulnerability resides in the eCard send handler of Admidio. Instead of using the sanitized value from the form, the code uses the raw $_POST['ecard_message'] when composing the greeting card HTML. Consequently, an authenticated user can inject arbitrary HTML and JavaScript into a greeting card email. This bypasses the server\u2011side HTMLPurifier sanitization, allowing phishing content that appears legitimate to be sent to other members. The flaw could lead to credential theft or malware installation if victims interact with the injected content.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not present in the KEV list. An attacker must be authenticated and have permission to send eCards. The attack path involves submitting a crafted eCard message that contains malicious HTML or script; the message is then delivered via email to the recipient\u2019s client where the content is rendered. The impact is primarily phishing and potential credential compromise. Given the moderate score and low exploitation likelihood, the risk can be considered moderate but with the possibility of targeted attacks against active Admidio deployments."}}}}, "created": "2026-03-20T08:54:21.155208+00:00", "updated": "2026-03-25T11:54:00.142853+00:00", "vendors": ["admidio", "admidio$PRODUCT$admidio"]}