EGroupware has SQL Injection in Nextmatch Filter Processing
Description
EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the Nextmatch filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the WHERE clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is_int() security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
egroupware/egroupwarePackagist | < 23.1.20260113 | 23.1.20260113 |
egroupware/egroupwarePackagist | >= 26.0.20251208, < 26.0.20260113 | 26.0.20260113 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rvxj-7f72-mhrxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22243ghsaADVISORY
- github.com/EGroupware/egroupware/releases/tag/23.1.20260113ghsax_refsource_MISCWEB
- github.com/EGroupware/egroupware/releases/tag/26.0.20260113ghsax_refsource_MISCWEB
- github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.