8.8

CVE-2026-27895

EPSS 0.08%
Veröffentlicht 17.03.2026 23:51:26
Zuletzt bearbeitet 23.03.2026 18:02:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ldap-account-manager ≫ Ldap Account Manager Version >= 8.5 < 9.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.228

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-185 Incorrect Regular Expression

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf

Not Applicable

https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8

Vendor Advisory

https://github.com/LDAPAccountManager/lam/releases/tag/9.5

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-27895

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27895

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27895

EUVD