216.73.216.215

CVE-2026-22243

· Published 28/01/2026 17:16 · Modified 29/01/2026 16:31

Labels: CVE-2026-22243 2026-01-28CVE-2026-22243CWE-89[email protected]

Essential information

Published
28/01/2026 17:16
Modified
29/01/2026 16:31
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
egroupware / egroupware cpe:2.3:a:egroupware:egroupware:<23.1.20260113:*:*:*:*:*:*:*
egroupware / egroupware cpe:2.3:a:egroupware:egroupware:<26.0.20260113:*:*:*:*:*:*:*

References