CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-8737-2x9g-xjj7: EGroupware has Authenticated RCE via Malicious eTemplate Upload

highCVE-2026-40187
Summary An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount. The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped. In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web application access to arbitrary OS command execution on the server. Details The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand_name(): (lines 703–728) The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is: php str_replace('"', '\\"', $name) This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators — equivalent to shell_exec(). A widget id of $row\id produces: eval('$name = "$rowid";'); // executes shell command: id expand_name() is called from: - form_name() - expand_widget() - set_attrs() - Template::run() The /etemplates VFS path is created exclusively for admin users — it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager_admin.inc.php:95-106 Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template. Mitigating factor: The official Docker deployment sets disable_functions = exec,passthru,shell_exec,system,proc_open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell_exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Doc

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-07
Last updated
2026-07-07
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-8737-2x9g-xjj7

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-40187coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories