GHSA-GQ27-FC8W-VCMP
Vulnerability from github – Published: 2026-04-29 21:51 – Updated: 2026-05-08 20:13Summary
An unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup.
Details
The msg_window.php endpoint accepts message_id and message_var1 as GET parameters. At line 146, the code passes message_var1 through htmlspecialchars() before inserting it into the language string as a placeholder:
// system/msg_window.php:146
$messageText = $gL10n->get($messageId, array(htmlspecialchars($messageVar1)));
htmlspecialchars() encodes <, >, &, ", and ' but leaves [ and ] untouched. The Language::get() method calls Language::prepareTextPlaceholders(), which performs a character-level translation:
// src/Infrastructure/Language.php:497
$text = strtr($text, '[]', '<>');
This converts all square brackets in the output string, including those from user input, into angle brackets. An attacker submits [script]alert(document.domain)[/script], which survives htmlspecialchars() unchanged, then becomes <script>alert(document.domain)</script> after placeholder preparation.
The application sets no Content-Security-Policy headers, so inline scripts execute without restriction.
Proof of Concept
Visit the following URL on any Admidio installation (no authentication required):
https://<admidio-host>/system/msg_window.php?message_id=INS_INSTALLATION_VERSION&message_var1=%5Bscript%5Dalert(document.domain)%5B/script%5D
The server responds with an HTML page containing:
Installation version <script>alert(document.domain)</script>
The JavaScript executes in the context of the Admidio origin, displaying the current domain in an alert dialog.
Impact
An attacker crafts a malicious URL and sends it to any Admidio user. When the victim clicks the link, attacker-controlled JavaScript runs in their browser session. The attacker can steal session cookies, perform administrative operations on behalf of the victim, or redirect the victim to phishing pages. The endpoint requires no authentication.
Recommended Fix
Apply output encoding after Language::prepareTextPlaceholders() runs, or stop translating square brackets that originate from user-supplied placeholder values. A targeted fix: escape [ and ] in user input before passing it into Language::get().
Found by aisafe.io
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.8"
},
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41661"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T21:51:13Z",
"nvd_published_at": "2026-05-07T04:16:29Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAn unauthenticated attacker can execute arbitrary JavaScript in any Admidio user\u0027s browser through a reflected XSS in `system/msg_window.php`. The endpoint passes user input through `htmlspecialchars()`, which does not encode square brackets. A subsequent call to `Language::prepareTextPlaceholders()` converts those brackets into HTML angle brackets, producing executable markup.\n\n## Details\n\nThe `msg_window.php` endpoint accepts `message_id` and `message_var1` as GET parameters. At line 146, the code passes `message_var1` through `htmlspecialchars()` before inserting it into the language string as a placeholder:\n\n```php\n// system/msg_window.php:146\n$messageText = $gL10n-\u003eget($messageId, array(htmlspecialchars($messageVar1)));\n```\n\n`htmlspecialchars()` encodes `\u003c`, `\u003e`, `\u0026`, `\"`, and `\u0027` but leaves `[` and `]` untouched. The `Language::get()` method calls `Language::prepareTextPlaceholders()`, which performs a character-level translation:\n\n```php\n// src/Infrastructure/Language.php:497\n$text = strtr($text, \u0027[]\u0027, \u0027\u003c\u003e\u0027);\n```\n\nThis converts all square brackets in the output string, including those from user input, into angle brackets. An attacker submits `[script]alert(document.domain)[/script]`, which survives `htmlspecialchars()` unchanged, then becomes `\u003cscript\u003ealert(document.domain)\u003c/script\u003e` after placeholder preparation.\n\nThe application sets no Content-Security-Policy headers, so inline scripts execute without restriction.\n\n## Proof of Concept\n\nVisit the following URL on any Admidio installation (no authentication required):\n\n```\nhttps://\u003cadmidio-host\u003e/system/msg_window.php?message_id=INS_INSTALLATION_VERSION\u0026message_var1=%5Bscript%5Dalert(document.domain)%5B/script%5D\n```\n\nThe server responds with an HTML page containing:\n\n```html\nInstallation version \u003cscript\u003ealert(document.domain)\u003c/script\u003e\n```\n\nThe JavaScript executes in the context of the Admidio origin, displaying the current domain in an alert dialog.\n\n## Impact\n\nAn attacker crafts a malicious URL and sends it to any Admidio user. When the victim clicks the link, attacker-controlled JavaScript runs in their browser session. The attacker can steal session cookies, perform administrative operations on behalf of the victim, or redirect the victim to phishing pages. The endpoint requires no authentication.\n\n## Recommended Fix\n\nApply output encoding after `Language::prepareTextPlaceholders()` runs, or stop translating square brackets that originate from user-supplied placeholder values. A targeted fix: escape `[` and `]` in user input before passing it into `Language::get()`.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
"id": "GHSA-gq27-fc8w-vcmp",
"modified": "2026-05-08T20:13:52Z",
"published": "2026-04-29T21:51:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41661"
},
{
"type": "PACKAGE",
"url": "https://github.com/Admidio/admidio"
},
{
"type": "WEB",
"url": "https://github.com/Admidio/admidio/releases/tag/v5.0.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.