PT-2026-5137 · Unknown · Egroupware

Lukasz-Rybak

Publicado

2026-01-28

Atualizado

2026-02-19

CVE-2026-22243

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions EGroupware versions prior to 23.1.20260113 EGroupware versions prior to 26.0.20260113

Description EGroupware is a web-based groupware server written in PHP. A SQL Injection issue exists in the core components of EGroupware, specifically in the Nextmatch filter processing. Authenticated attackers can inject arbitrary SQL commands into the WHERE clause of database queries. This is possible due to a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is int() security check. The vulnerable component is the Nextmatch filter.

Recommendations Update EGroupware to version 23.1.20260113 or later. Update EGroupware to version 26.0.20260113 or later.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2026-22243

GHSA-RVXJ-7F72-MHRX

Produtos afetados

Egroupware

PT-2026-5137 · Unknown · Egroupware

CVE-2026-22243

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11