CVE-2026-41661 Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion
Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode...