Skip to main content

PHP CVE-2026-27894

HIGH
PHP Remote File Inclusion (CWE-98)
2026-03-18 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 00:30 vuln.today
CVE Published
Mar 18, 2026 - 00:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).

AnalysisAI

LDAP Account Manager (LAM), a web-based interface for managing LDAP directory entries, contains a local file inclusion vulnerability in its PDF export functionality that allows authenticated users to include and execute arbitrary PHP files. When chained with GHSA-88hf-2cjm-m9g8, this vulnerability enables complete remote code execution on the affected server. The vulnerability affects all versions prior to 9.5 and requires low-privilege authentication (CVSS 8.8, PR:L), tracking across 7 Ubuntu and 4 Debian releases indicates significant deployment in enterprise LDAP environments.

Technical ContextAI

This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), commonly known as local file inclusion. LDAP Account Manager is a PHP-based web application that provides a graphical interface for managing LDAP directories, typically used in enterprise environments for user account, group, and DHCP configuration management. The flaw exists in the PDF profile export mechanism where user-controlled input is insufficiently validated before being passed to PHP include or require statements. The vulnerability's severity is amplified by its chain-ability with GHSA-88hf-2cjm-m9g8, suggesting a multi-stage attack path where file write capabilities combined with file inclusion lead to arbitrary code execution. The affected component processes PDF configuration profiles stored in /var/lib/ldap-account-manager/config, where malicious PHP code can be injected and subsequently included during PDF generation.

RemediationAI

Upgrade LDAP Account Manager to version 9.5 or later immediately, as documented in the release notes at https://github.com/LDAPAccountManager/lam/releases/tag/9.5. Until patching is completed, implement the recommended workaround by making the /var/lib/ldap-account-manager/config directory read-only for the web server user (typically www-data or apache) using filesystem permissions, and delete all existing PDF profile files to prevent exploitation through the vulnerable code path, though this will disable PDF export functionality. Additionally, review web server access logs for suspicious file access patterns in the config directory, restrict LAM interface access to trusted networks using firewall rules or reverse proxy ACLs, enforce strong authentication for all LAM accounts, and audit existing user accounts for unauthorized privilege escalation. Given the chain-ability with GHSA-88hf-2cjm-m9g8, also review that advisory at https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8 for additional mitigation steps.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Vendor StatusVendor

Ubuntu

Priority: Medium
ldap-account-manager
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

ldap-account-manager
Release Status Fixed Version Urgency
bullseye (security), bullseye vulnerable 8.0.1-0+deb11u1 -
bookworm vulnerable 8.3-1 -
forky, sid, trixie vulnerable 9.0-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-27894 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy