CVE-2026-41655: Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials

April 29, 2026 (updated May 8, 2026)

The ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials.

References

github.com/Admidio/admidio
github.com/Admidio/admidio/releases/tag/v5.0.9
github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx
github.com/advisories/GHSA-m3vp-3jjm-gpmx
nvd.nist.gov/vuln/detail/CVE-2026-41655

Code Behaviors & Features

Detect and mitigate CVE-2026-41655 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →