PHP
CVE-2026-27894
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
AnalysisAI
LDAP Account Manager (LAM), a web-based interface for managing LDAP directory entries, contains a local file inclusion vulnerability in its PDF export functionality that allows authenticated users to include and execute arbitrary PHP files. When chained with GHSA-88hf-2cjm-m9g8, this vulnerability enables complete remote code execution on the affected server. The vulnerability affects all versions prior to 9.5 and requires low-privilege authentication (CVSS 8.8, PR:L), tracking across 7 Ubuntu and 4 Debian releases indicates significant deployment in enterprise LDAP environments.
Technical ContextAI
This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), commonly known as local file inclusion. LDAP Account Manager is a PHP-based web application that provides a graphical interface for managing LDAP directories, typically used in enterprise environments for user account, group, and DHCP configuration management. The flaw exists in the PDF profile export mechanism where user-controlled input is insufficiently validated before being passed to PHP include or require statements. The vulnerability's severity is amplified by its chain-ability with GHSA-88hf-2cjm-m9g8, suggesting a multi-stage attack path where file write capabilities combined with file inclusion lead to arbitrary code execution. The affected component processes PDF configuration profiles stored in /var/lib/ldap-account-manager/config, where malicious PHP code can be injected and subsequently included during PDF generation.
RemediationAI
Upgrade LDAP Account Manager to version 9.5 or later immediately, as documented in the release notes at https://github.com/LDAPAccountManager/lam/releases/tag/9.5. Until patching is completed, implement the recommended workaround by making the /var/lib/ldap-account-manager/config directory read-only for the web server user (typically www-data or apache) using filesystem permissions, and delete all existing PDF profile files to prevent exploitation through the vulnerable code path, though this will disable PDF export functionality. Additionally, review web server access logs for suspicious file access patterns in the config directory, restrict LAM interface access to trusted networks using firewall rules or reverse proxy ACLs, enforce strong authentication for all LAM accounts, and audit existing user accounts for unauthorized privilege escalation. Given the chain-ability with GHSA-88hf-2cjm-m9g8, also review that advisory at https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8 for additional mitigation steps.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | vulnerable | 8.0.1-0+deb11u1 | - |
| bookworm | vulnerable | 8.3-1 | - |
| forky, sid, trixie | vulnerable | 9.0-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today