CVE-2026-27895

Name of the Vulnerable Software and Affected Versions LDAP Account Manager versions prior to 9.5

Description LDAP Account Manager (LAM) is a web frontend used for managing entries in an LDAP directory, such as users, groups, and DHCP settings. Before version 9.5, the PDF export component does not properly validate file extensions during file uploads, allowing any file type, including .php files, to be uploaded. This can lead to remote code execution as the web server user. The vulnerable component allows an attacker to upload malicious files, potentially compromising the system.

Recommendations Versions prior to 9.5 should be upgraded to version 9.5 or later. As a workaround, make the /var/lib/ldap-account-manager/config directory read-only for the web server user.