EGroupware CVE-2026-40187
HIGHSeverity by source
Delivered over the web admin UI (AV:N) and straightforward once conditions met (AC:L); requires an admin account (PR:H); attacker acts alone (UI:N); PHP-app breakout to OS shell justifies S:C with full C/I/A:H.
Lifecycle Timeline
1DescriptionCVE.org
Summary
An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount.
The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped.
In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web application access to arbitrary OS command execution on the server.
------------------------------------------------------------------------
Details
The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand_name(): (lines 703-728)
The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is:
str_replace('"', '\\"', $name)This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators - equivalent to shell_exec(). A widget id of $row\id`` produces:
eval('$name = "$row`id`";'); // executes shell command: idexpand_name() is called from:
form_name()expand_widget()set_attrs()Template::run()
The /etemplates VFS path is created exclusively for admin users - it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager_admin.inc.php:95-106
Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template.
Mitigating factor: The official Docker deployment sets disable_functions = exec,passthru,shell_exec,system,proc_open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell_exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Dockerfile:47
The current master branch in api/setup/setup.inc.php, confirming the vulnerability is present in the latest code as of today. setup.inc.php:14-17
------------------------------------------------------------------------
Proof of Concept (PoC)
Prerequisites
- Admin account
- Non-Docker deployment, or Docker deployment where disable_functions has been removed/modified in php.ini
Step 1 - Mount /etemplates:
Log in as admin, navigate to Admin → Filemanager → VFS Mounts, and click "Install custom templates". This executes the code in filemanager_admin.inc.php that mounts /etemplates with Admins-group write access.
Step 2 - Upload malicious template:
Create a file named index.xet with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<overlay>
<template id="admin.index">
<grid>
<columns><column/></columns>
<rows>
<row>
<textbox id="$row`touch /tmp/pwned_egw 2>/dev/null`"/>
</row>
</rows>
</grid>
</template>
</overlay>Upload this file to /etemplates/admin/templates/default/index.xet via the VFS filemanager.
Step 3 - Trigger execution:
Navigate to the EGroupware admin panel:
https://<target>/egroupware/index.php?menuaction=admin.admin_ui.indexWhen the template is loaded and beforeSendToClient() runs, form_name() calls expand_name() with $name = '$row\touch /tmp/pwned_egw 2>/dev/null'and$row = 0. The eval becomes:
eval('$name = "$row`touch /tmp/pwned_egw 2>/dev/null`";');
PHP executes the backtick expression as a shell command.
Step 4 - Verify:
Check that /tmp/pwned_egw was created on the server. For a more impactful demonstration, replace touch /tmp/pwned_egw with id > /tmp/pwned_egw to capture the web server's OS user identity.
------------------------------------------------------------------------
Impact
Authenticated Remote Code Execution (RCE) via eval() with unsanitized shell metacharacters.
Who is impacted: Any EGroupware installation where:
- An admin account is compromised or a malicious admin exists, AND
- The server is not running with disable_functions blocking shell_exec (i.e., non-Docker or misconfigured deployments)
------------------------------------------------------------------------
Severity
The vulnerability allows escalation from EGroupware admin-level web access to arbitrary OS command execution as the web server user (typically www-data). From there, an attacker can read configuration files (including database credentials), pivot to other services, or establish persistence. This is not exploitable by regular (non-admin) users. The official Docker deployment is not affected due to disable_functions, but bare-metal, VM, or custom container deployments without this hardening are fully vulnerable.
AnalysisAI
Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) an authenticated EGroupware administrator account - this is explicitly not exploitable by regular/non-admin users; (2) the /etemplates VFS mount to be created, which the attacker can do via Admin → Filemanager → VFS Mounts → 'Install custom templates'; and (3) a PHP runtime that does NOT block shell execution - i.e., disable_functions must not include shell_exec/system/etc. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score or vector was provided (CVSS N/A), and the CVE is not listed in CISA KEV, so this is not confirmed as actively exploited; however, a complete, reliable proof-of-concept is published in the vendor advisory, so publicly available exploit code exists. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised EGroupware administrator on a non-hardened (non-Docker) install mounts the /etemplates VFS via 'Install custom templates', then uploads a crafted index.xet whose textbox id contains a backtick payload such as $row`id > /tmp/pwned`. When they browse the admin panel (admin.admin_ui.index), the eTemplate engine's expand_name() evaluates the attribute and the OS executes the embedded shell command as www-data. … |
| Remediation | No vendor-released patched version was identified in the provided data, so upgrade guidance must come from the GitHub Security Advisory GHSA-8737-2x9g-xjj7 (https://github.com/EGroupware/egroupware/security/advisories/GHSA-8737-2x9g-xjj7) - apply the fixed release the vendor references there once confirmed; the correct code-level fix is to escape backticks (and ideally eliminate the eval()) in Widget::expand_name(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit and restrict EGroupware administrator accounts to essential personnel only; review access logs for suspicious .xet template uploads or unexpected administrative activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8737-2x9g-xjj7