CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-40187

highcovered by 1 sourcefirst seen 2026-07-07
Summary An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount. The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped. In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web application access to arbitrary OS command execution on the server. Details The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand_name(): (lines 703–728) The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is: php str_replace('"', '\\"', $name) This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators — equivalent to shell_exec(). A widget id of $row\id produces: eval('$name = "$rowid";'); // executes shell command: id expand_name() is called from: - form_name() - expand_widget() - set_attrs() - Template::run() The /etemplates VFS path is created exclusively for admin users — it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager_admin.inc.php:95-106 Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template. Mitigating factor: The official Docker deployment sets disable_functions = exec,passthru,shell_exec,system,proc_open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell_exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Doc

⚡ Watch CVE-2026-40187

Get an email if CVE-2026-40187 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-40187

CVE.org record

Embed the live status

CVE-2026-40187 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-40187 status](https://www.csirts.com/badge/CVE-2026-40187)](https://www.csirts.com/cve/CVE-2026-40187)