High severity8.0NVD Advisory· Published Sep 17, 2025· Updated Apr 15, 2026

CVE-2025-59518

Description

In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server.

Affected products

Lemonldap Ng/Lemonldap Nginferred
Range: <2.16.7, >=2.17,<2.21.3

Patches

6f888e84213c

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ngvia osv

a592316cbec7

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ngvia osv

228d01945d48

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ngvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/228d01945d48015f3f9ea8a8dc64d7e6a27750e9nvd
gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/3462nvd

News mentions

No linked articles in our index yet.

cvss	0.520
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000