VYPR
High severityOSV Advisory· Published Jan 28, 2026· Updated Jan 28, 2026

EGroupware has SQL Injection in Nextmatch Filter Processing

CVE-2026-22243

Description

EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the Nextmatch filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the WHERE clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is_int() security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
egroupware/egroupwarePackagist
< 23.1.2026011323.1.20260113
egroupware/egroupwarePackagist
>= 26.0.20251208, < 26.0.2026011326.0.20260113

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.