← Retour aux CVEs
CVE-2026-27895
MEDIUM4.3
Description
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.
Details CVE
Score CVSS v3.14.3
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie3/18/2026
Derniere modification3/23/2026
Sourcenvd
Observations honeypot0
Produits affectes
ldap-account-manager:ldap_account_manager
Faiblesses (CWE)
CWE-185
References
https://github.com/LDAPAccountManager/lam/releases/tag/9.5(security-advisories@github.com)
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8(security-advisories@github.com)
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.