Eval Injection Affecting egroupware/egroupware package, versions <23.1.20260601>=26.0.20251208, <26.4.20260413


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Eval Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-EGROUPWAREEGROUPWARE-17878646
  • published7 Jul 2026
  • disclosed7 Jul 2026
  • creditUnknown

Introduced: 7 Jul 2026

NewCVE-2026-40187  (opens in a new tab)
CWE-78  (opens in a new tab)
CWE-95  (opens in a new tab)

How to fix?

Upgrade egroupware/egroupware to version 23.1.20260601, 26.4.20260413 or higher.

Overview

egroupware/egroupware is a library that extends a classic groupware with an integrated CRM-system, a secure file-server and Collabora Online Office.

Affected versions of this package are vulnerable to Eval Injection via the expand_name function. An attacker can execute arbitrary OS commands by uploading a specially crafted eTemplate XML file containing malicious widget attribute values, which are processed with insufficient sanitization and passed to a PHP eval() call. This is only exploitable if the attacker has admin privileges and the PHP configuration does not have disable_functions set to block shell execution functions.

References

CVSS Base Scores

version 4.0
version 3.1