← Back

CVE-2026-27895

nvd nist
Published: Mar 18, 2026Modified: Mar 23, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.

Affected (1)

Ldap Account Manager
1 product
Ldap Account Manager
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Ldap Account Manager
From 8.5 to 9.5

Related CWEs

CWE-185
Incorrect Regular Expression
The product specifies a regular expression in a way that causes data to be improperly matched or compared.

References (3)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Not Applicable

Timeline

No history available yet.