{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "2.16.7" }, { "introduced": "2.17" }, { "last_affected": "2.21" }, { "introduced": "0" }, { "fixed": "2.21.3" } ] }, "events": [ { "introduced": "0" }, { "fixed": "6f888e84213c1819e7b8924dd50875246b9654a4" }, { "introduced": "90a97ab1d90f1d32eaf56d0e4f3a72ca7cb40877" }, { "last_affected": "1421ad73acd3ee3b018db400195611de80dd4b60" }, { "introduced": "0" }, { "fixed": "a592316cbec75e48c34a6d77008643caa0e14aaa" }, { "fixed": "228d01945d48015f3f9ea8a8dc64d7e6a27750e9" } ], "repo": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng", "type": "GIT" } ] } ], "details": "In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server.", "id": "CVE-2025-59518", "modified": "2026-03-10T21:47:30.398604782Z", "published": "2025-09-17T04:16:12.527Z", "references": [ { "type": "REPORT", "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/3462" }, { "type": "FIX", "url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/228d01945d48015f3f9ea8a8dc64d7e6a27750e9" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ] }