CVE-2026-22243

EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113	Product Release Notes
https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113	Product Release Notes
https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:egroupware:egroupware:::::community:::*
	cpe:2.3:a:egroupware:egroupware:::::community:::*

History

17 Jun 2026, 10:19

Type	Values Removed	Values Added
Summary		(es) EGroupware es un servidor de groupware basado en web escrito en PHP. Existe una vulnerabilidad de inyección SQL en los componentes centrales de EGroupware anteriores a las versiones 23.1.20260113 y 26.0.20260113, específicamente en el procesamiento del filtro 'Nextmatch'. La falla permite a atacantes autenticados inyectar comandos SQL arbitrarios en la cláusula 'WHERE' de las consultas de la base de datos. Esto se logra explotando un problema de manipulación de tipos (type juggling) de PHP donde la decodificación JSON convierte cadenas numéricas en enteros, eludiendo la verificación de seguridad 'is_int()' utilizada por la aplicación. Las versiones 23.1.20260113 y 26.0.20260113 parchean la vulnerabilidad.

19 Feb 2026, 21:21

Type	Values Removed	Values Added
CPE		cpe:2.3:a:egroupware:egroupware:::::community:::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~() https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113 -~~	() https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113 - Product, Release Notes
References	~~() https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113 -~~	() https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113 - Product, Release Notes
References	~~() https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx -~~	() https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx - Exploit, Mitigation, Vendor Advisory
First Time		Egroupware egroupware Egroupware

28 Jan 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-28 17:16

Updated : 2026-06-17 10:19

NVD link : CVE-2026-22243

Mitre link : CVE-2026-22243

CVE.ORG link : CVE-2026-22243

JSON object : View

Products Affected

egroupware

egroupware

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.8 /10