CVE-2026-40187

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

EGroupware has Authenticated RCE via Malicious eTemplate Upload

Summary

An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount.

The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped.

In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web application access to arbitrary OS command execution on the server.

------------------------------------------------------------------------

Details

The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand_name(): (lines 703–728)

The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is:

`` php str_replace('"', '\\"', $name)

This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators — equivalent to  shell_exec(). A widget id of $row\id produces:
eval('$name = "$rowid";'); // executes shell command: id
expand_name() is called from:
  • form_name()
  • expand_widget()
  • set_attrs()
  • Template::run()

The /etemplates VFS path is created exclusively for admin users — it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager_admin.inc.php:95-106

Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template.

Mitigating factor: The official Docker deployment sets disable_functions = exec,passthru,shell_exec,system,proc_open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell_exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Dockerfile:47

The current master branch in api/setup/setup.inc.php, confirming the vulnerability is present in the latest code as of today. setup.inc.php:14-17

------------------------------------------------------------------------

Proof of Concept (PoC)

Prerequisites

  • Admin account
  • Non-Docker deployment, or Docker deployment where disable_functions has been removed/modified in php.ini

Step 1 — Mount /etemplates:

Log in as admin, navigate to Admin → Filemanager → VFS Mounts, and click "Install custom templates". This executes the code in
filemanager_admin.inc.php that mounts /etemplates with Admins-group write access.

Step 2 — Upload malicious template:

Create a file named index.xet with the following content:

xml

/dev/null"/>

Upload this file to /etemplates/admin/templates/default/index.xet via the VFS filemanager.

Step 3 — Trigger execution:

Navigate to the EGroupware admin panel:
https:///egroupware/index.php?menuaction=admin.admin_ui.index
When the template is loaded and beforeSendToClient() runs, form_name() calls expand_name() with $name = '$row\touch /tmp/pwned_egw 2>/dev/null'and$row = 0. The eval becomes:
eval('$name = "$rowtouch /tmp/pwned_egw 2>/dev/null";');

``

PHP executes the backtick expression as a shell command.

Step 4 — Verify:

Check that /tmp/pwned_egw was created on the server. For a more impactful demonstration, replace touch /tmp/pwned_egw with id > /tmp/pwned_egw` to capture the web server's OS user identity.

------------------------------------------------------------------------

Impact

Authenticated Remote Code Execution (RCE) via eval() with unsanitized shell metacharacters.

Who is impacted: Any EGroupware installation where:

  • An admin account is compromised or a malicious admin exists, AND
  • The server is not running with disable_functions blocking shell_exec (i.e., non-Docker or misconfigured deployments)

------------------------------------------------------------------------

Severity

The vulnerability allows escalation from EGroupware admin-level web access to arbitrary OS command execution as the web server user (typically www-data). From there, an attacker can read configuration files (including database credentials), pivot to other services, or establish persistence. This is not exploitable by regular (non-admin) users. The official Docker deployment is not affected due to disable_functions, but bare-metal, VM, or custom container deployments without this hardening are fully vulnerable.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 7, 2026

Last Modified

July 7, 2026

Vendor Advisories for CVE-2026-40187(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 13:38 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-40187?
CVE-2026-40187 is a high vulnerability published on July 7, 2026. EGroupware has Authenticated RCE via Malicious eTemplate Upload Summary An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount. The Widget::expand_name() method passes template widget attribute…
When was CVE-2026-40187 disclosed?
CVE-2026-40187 was first published in the National Vulnerability Database on July 7, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-40187?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-40187, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-40187

Explore →

Is Your Infrastructure Affected by CVE-2026-40187?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.