CVE-2026-27895
published 2026-03-18CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.42%
33.5th percentile
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ldap-account-manager | < ldap-account-manager 9.5.1-1 (sid) | ldap-account-manager 9.5.1-1 (sid) |
| ldap-account-manager | ldap_account_manager | >= 8.5 < 9.5 | 9.5 |
| ldapaccountmanager | lam | < 9.5 | 9.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for PHP file uploads via the LAM PDF export component — any .php file written under the LAM config/upload directory is a strong indicator of exploitation. ↗
- →Chain with GHSA-w7xq-vjr3-p9cf to achieve RCE; alert on web-server-user process spawning shells or unexpected child processes after a file upload to LAM. ↗
- →Watch for new or modified files with .php extension under /var/lib/ldap-account-manager/config as a post-exploitation artifact. ↗
- ·Exploitation requires chaining with a separate vulnerability (GHSA-w7xq-vjr3-p9cf) to achieve RCE; the file-upload bypass alone is not sufficient for code execution. ↗
- ·Debian 'forky' and 'trixie' releases remain unpatched (open); 'bookworm', 'bullseye', and 'sid' (fixed in 9.5.1-1) are resolved. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian4.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-27895: ldap-account-manager - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr...
vendor_debian·2026·CVSS 4.3
CVE-2026-27895 [MEDIUM] CVE-2026-27895: ldap-account-manager - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr...
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.
Scope: local
bookworm: resolved
bullseye: resolved
forky: open
sid: resolved (fixed in 9.5.1-1)
trixie: open
OSV
CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e
osv·2026-03-18·CVSS 8.8
CVE-2026-27895 [HIGH] CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.
No detection rules found.
No public exploits indexed.
2026-03-18
Published