CVE-2026-23489

Name of the Vulnerable Software and Affected Versions GLPI Fields plugin versions prior to 1.23.3

Description The Fields plugin for GLPI allows users to add custom fields to GLPI item forms. Prior to version 1.23.3, users permitted to create dropdowns could execute arbitrary PHP code. This allows for the potential execution of malicious code through the creation of specially crafted dropdowns. The vulnerable component is the functionality related to creating dropdowns within the plugin. The createDropdowns() function is implicated in this issue. The vulnerable parameter is the input provided during dropdown creation.

Recommendations Versions prior to 1.23.3 should be updated to version 1.23.3 or later.