EGroupware has SQL Injection in Nextmatch Filter Processing
Description
EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the Nextmatch filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the WHERE clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is_int() security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
egroupware/egroupwarePackagist | < 23.1.20260113 | 23.1.20260113 |
egroupware/egroupwarePackagist | >= 26.0.20251208, < 26.0.20260113 | 26.0.20260113 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-rvxj-7f72-mhrxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22243ghsaADVISORY
- github.com/EGroupware/egroupware/releases/tag/23.1.20260113ghsax_refsource_MISCWEB
- github.com/EGroupware/egroupware/releases/tag/26.0.20260113ghsax_refsource_MISCWEB
- github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.