CVE-2026-22243
- Source
- https://cve.org/CVERecord?id=CVE-2026-22243
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22243.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-22243
- Aliases
- Published
- 2026-01-28T16:05:35.641Z
- Modified
- 2026-01-30T22:53:08.544889Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- EGroupware has SQL Injection in Nextmatch Filter Processing
- Details
-
EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the
Nextmatchfilter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into theWHEREclause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing theis_int()security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22243.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-89" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22243.json
- https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113
- https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113
- https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx
- https://nvd.nist.gov/vuln/detail/CVE-2026-22243