There is a vulnerability in the current version of SurgeLDAP that allows an attacker to retrieve arbitrary files from the webserver that reside outside the bounding HTML root directory.