CVE-2026-27895 — Incorrect Regular Expression in Ldap Account Manager

CWE-185 — Incorrect Regular Expression4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 74.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ldapaccountmanager LAM Ldap-account-manager Ldap Account Manager Debian Ldap-account-manager

Timeline

PublishedMar 18

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-ac…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5ldapaccountmanager/lam< 9.5

▶debiandebian/ldap-account-manager< ldap-account-manager 9.5.1-1 (sid)

▶NVDldap-account-manager/ldap_account_manager8.5 — 9.5

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e↗2026-03-18

▶

📋Vendor Advisories

Debian

CVE-2026-27895: ldap-account-manager - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27895 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶