CVE-2026-22243

EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113	Product Release Notes
https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113	Product Release Notes
https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:egroupware:egroupware:::::community:::*
	cpe:2.3:a:egroupware:egroupware:::::community:::*

History

No history.

Information

Published : 2026-01-28 17:16

Updated : 2026-02-19 21:21

NVD link : CVE-2026-22243

Mitre link : CVE-2026-22243

CVE.ORG link : CVE-2026-22243

JSON object : View

Products Affected

egroupware

egroupware

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-22243", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-28T17:16:15.663", "references": [{"url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability."}, {"lang": "es", "value": "EGroupware es un servidor de groupware basado en web escrito en PHP. Existe una vulnerabilidad de inyecci\u00f3n SQL en los componentes centrales de EGroupware anteriores a las versiones 23.1.20260113 y 26.0.20260113, espec\u00edficamente en el procesamiento del filtro 'Nextmatch'. La falla permite a atacantes autenticados inyectar comandos SQL arbitrarios en la cl\u00e1usula 'WHERE' de las consultas de la base de datos. Esto se logra explotando un problema de manipulaci\u00f3n de tipos (type juggling) de PHP donde la decodificaci\u00f3n JSON convierte cadenas num\u00e9ricas en enteros, eludiendo la verificaci\u00f3n de seguridad 'is_int()' utilizada por la aplicaci\u00f3n. Las versiones 23.1.20260113 y 26.0.20260113 parchean la vulnerabilidad."}], "lastModified": "2026-02-19T21:21:44.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:egroupware:egroupware:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "9F79AA23-D51B-4881-92E1-7AD58066F134", "versionEndExcluding": "23.1.20260113"}, {"criteria": "cpe:2.3:a:egroupware:egroupware:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "B539FA17-54C7-40C4-A4B2-AF8CF7BE9705", "versionEndExcluding": "26.0.20260113", "versionStartIncluding": "26.0.20251208"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}