GHSA-8737-2x9g-xjj7: EGroupware has Authenticated RCE via Malicious eTemplate Upload
Summary
An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount.
The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped.
In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web
application access to arbitrary OS command execution on the server.
Details
The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand_name(): (lines 703–728)
The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is:
php
str_replace('"', '\\"', $name)
This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators — equivalent to shell_exec(). A widget id of $row\id produces:
eval('$name = "$rowid";'); // executes shell command: id
expand_name() is called from:
- form_name()
- expand_widget()
- set_attrs()
- Template::run()
The /etemplates VFS path is created exclusively for admin users — it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager_admin.inc.php:95-106
Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template.
Mitigating factor: The official Docker deployment sets disable_functions = exec,passthru,shell_exec,system,proc_open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell_exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Doc
Details
Original advisory: https://github.com/advisories/GHSA-8737-2x9g-xjj7
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-40187 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10