CVE-2026-41661— Admidio 跨站脚本漏洞

Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Admidio 跨站脚本漏洞

Admidio是Admidio团队的一套开源的成员管理系统。该系统支持成员列表、事件管理、留言簿、相册和下载等功能。 Admidio 5.0.9之前版本存在跨站脚本漏洞，该漏洞源于system/msg_window.php端点存在反射型跨站脚本，用户输入经过htmlspecialchars处理后未编码方括号，后续调用Language::prepareTextPlaceholders将其转换为HTML尖括号，可能导致任意JavaScript执行。

N/A

N/A