CVE-2026-27895HIGH 8.8EPSS p33.4%

CVE-2026-27895CVE-2026-27895

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.42% probability of exploitation · percentile 33.4% · 2026-06-18T12:00:27Z
Published2026-03-18
Last modified2026-03-23

Underlying weaknesses· 1

CWE-185

References

  1. https://github.com/LDAPAccountManager/lam/releases/tag/9.5
  2. https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8
  3. https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf

1

TypeTargetConfidenceTier
WeaknessIncorrect Regular Expressioncwe-1850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27894
CVE
CVE-2025-24801
CVE
CVE-2025-27649
CVE
CVE-2025-39402
CVE
CVE-2025-14894
CVE
CVE-2026-29859
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.