CVE-2026-41655

MEDIUM

Admidio: Path Traversal in ECard Preview Allows Reading Arbitrary Server Files Including Database Credentials

Title source: cna

Description

Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx

X_Refsource_Misc x_refsource_misc

https://github.com/Admidio/admidio/releases/tag/v5.0.9

Scores

CVSS v3 6.5

EPSS 0.0031

EPSS Percentile 22.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

admidio/admidio 0 - 5.0.9Packagist

Admidio/admidio < 5.0.9

Published May 07, 2026

Tracked Since May 07, 2026