{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27894", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T15:19:29.717Z", "datePublished": "2026-03-17T23:48:06.530Z", "dateUpdated": "2026-03-18T19:54:13.831Z"}, "containers": {"cna": {"title": "LAM has Authenticated Local File Inclusion (LFI) in PDF export", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf"}, {"name": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8", "tags": ["x_refsource_MISC"], "url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8"}, {"name": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5"}], "affected": [{"vendor": "LDAPAccountManager", "product": "lam", "versions": [{"version": "< 9.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:51:09.865Z"}, "descriptions": [{"lang": "en", "value": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible)."}], "source": {"advisory": "GHSA-w7xq-vjr3-p9cf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T19:54:01.110248Z", "id": "CVE-2026-27894", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:54:13.831Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27894", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T19:54:01.110248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:54:05.503Z"}}], "cna": {"title": "LAM has Authenticated Local File Inclusion (LFI) in PDF export", "source": {"advisory": "GHSA-w7xq-vjr3-p9cf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LDAPAccountManager", "product": "lam", "versions": [{"status": "affected", "version": "< 9.5"}]}], "references": [{"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf", "name": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8", "name": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5", "name": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:51:09.865Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27894", "state": "PUBLISHED", "dateUpdated": "2026-03-18T19:54:13.831Z", "dateReserved": "2026-02-24T15:19:29.717Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T23:48:06.530Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "27FD6BBA-5705-4452-8B86-E03926E85E19", "versionEndExcluding": "9.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible)."}, {"lang": "es", "value": "LDAP Account Manager (LAM) es una interfaz web para gestionar entradas (p. ej., usuarios, grupos, configuraciones DHCP) almacenadas en un directorio LDAP. Antes de la versi\u00f3n 9.5, se detect\u00f3 una inclusi\u00f3n local de ficheros en la exportaci\u00f3n de PDF que permite a los usuarios incluir ficheros PHP locales y de esta manera ejecutar c\u00f3digo. En combinaci\u00f3n con GHSA-88hf-2cjm-m9g8, esto permite ejecutar c\u00f3digo arbitrario. Los usuarios deben iniciar sesi\u00f3n en LAM para explotar esta vulnerabilidad. La versi\u00f3n 9.5 soluciona el problema. Aunque se recomienda la actualizaci\u00f3n, una soluci\u00f3n alternativa ser\u00eda hacer que /var/lib/ldap-account-manager/config sea de solo lectura para el usuario del servidor web y eliminar los ficheros de perfil de PDF (haciendo imposibles las exportaciones de PDF)."}], "id": "CVE-2026-27894", "lastModified": "2026-03-23T18:03:22.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T00:16:19.607", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "lam", "source": "cna", "vendor": "LDAPAccountManager"}, "product": "lam", "vendor": "ldapaccountmanager"}], "analysis": {"en": {"generated_at": "2026-03-23T19:28:48.133924+00:00", "value": {"mitigation_remediation": ["Upgrade LDAP Account Manager to version 9.5 or later.", "If an immediate upgrade is not possible, make the directory /var/lib/ldap-account-manager/config read\u2011only for the web\u2011server user.", "Delete any existing PDF profile files to disable PDF exports until the upgrade is performed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Authenticated Local File Inclusion"}, "threat_synthesis": {"affected_systems": "LDAPAccountManager\u2019s LAM web frontend is affected. All releases prior to version 9.5 are vulnerable, and users running these older versions should upgrade. The product handles LDAP entries and DHCP settings via a web interface.", "description_and_impact": "LDAP Account Manager contains a local file inclusion flaw in its PDF export that allows authenticated users to load arbitrary local PHP files, leading to code execution. In combination with a related GHSA advisory, the flaw permits arbitrary code execution on the server. The vulnerability requires an authenticated LAM session and threatens the confidentiality, integrity, and availability of the hosting system.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while an EPSS score below 1% suggests low current exploitation probability; the vulnerability is not listed in CISA's KEV catalog. The flaw requires authentication, so the attack vector is local from an authenticated user through the PDF export feature, allowing remote code execution on the server."}}}}, "created": "2026-03-18T10:42:28.791640+00:00", "updated": "2026-03-24T10:54:17.226063+00:00", "vendors": ["ldapaccountmanager", "ldapaccountmanager$PRODUCT$lam"]}