CVE-2026-27894 HIGH

CVE-2026-27894: LAM has Authenticated Local File Inclusion (LFI) in PDF export

Vendor Ldapaccountmanager
Product lam
Weakness CWE-98 · PHP file inclusion
Published March 17, 2026
Last update March 18, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 18, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-62029 WordPress Grevo theme <= 2.4 - Local File Inclusion vulnerability CVE-2025-60059 WordPress smart SEO theme <= 2.12 - Local File Inclusion vulnerability CVE-2025-30820 WordPress WishSuite plugin <= 1.4.4 - Local File Inclusion Vulnerability CVE-2024-49649 WordPress Build App Online plugin <= 1.0.23 - Local File Inclusion vulnerability CVE-2025-32657 WordPress Testimonial Slider and Showcase Pro plugin <= 2.1.7 - Local File Inclusion vulnerability