CVE-2026-27895

low-risk
Published 2026-03-18

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.

Do I need to act?

-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Ldap Account Manager

Affected Vendors

Ldap-Account-Manager

References (3)

Patch https://github.com/LDAPAccountManager/lam/releases/tag/9.5
Vendor Advisory https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g...
Not Applicable https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9c...
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal