{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22243", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.920Z", "datePublished": "2026-01-28T16:05:35.641Z", "dateUpdated": "2026-01-28T16:28:24.378Z"}, "containers": {"cna": {"title": "EGroupware has SQL Injection in Nextmatch Filter Processing", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx"}, {"name": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113", "tags": ["x_refsource_MISC"], "url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113"}, {"name": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113", "tags": ["x_refsource_MISC"], "url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113"}], "affected": [{"vendor": "EGroupware", "product": "egroupware", "versions": [{"version": "< 23.1.20260113", "status": "affected"}, {"version": "< 26.0.20260113", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T16:05:35.641Z"}, "descriptions": [{"lang": "en", "value": "EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability."}], "source": {"advisory": "GHSA-rvxj-7f72-mhrx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T16:27:48.437430Z", "id": "CVE-2026-22243", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T16:28:24.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22243", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T16:27:48.437430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T16:28:13.675Z"}}], "cna": {"title": "EGroupware has SQL Injection in Nextmatch Filter Processing", "source": {"advisory": "GHSA-rvxj-7f72-mhrx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "EGroupware", "product": "egroupware", "versions": [{"status": "affected", "version": "< 23.1.20260113"}, {"status": "affected", "version": "< 26.0.20260113"}]}], "references": [{"url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx", "name": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113", "name": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113", "name": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T16:05:35.641Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22243", "state": "PUBLISHED", "dateUpdated": "2026-01-28T16:28:24.378Z", "dateReserved": "2026-01-07T05:19:12.920Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T16:05:35.641Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:egroupware:egroupware:*:*:*:*:community:*:*:*", "matchCriteriaId": "9F79AA23-D51B-4881-92E1-7AD58066F134", "versionEndExcluding": "23.1.20260113", "vulnerable": true}, {"criteria": "cpe:2.3:a:egroupware:egroupware:*:*:*:*:community:*:*:*", "matchCriteriaId": "B539FA17-54C7-40C4-A4B2-AF8CF7BE9705", "versionEndExcluding": "26.0.20260113", "versionStartIncluding": "26.0.20251208", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability."}], "id": "CVE-2026-22243", "lastModified": "2026-02-19T21:21:44.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-28T17:16:15.663", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:42:55.859285+00:00", "value": {"mitigation_remediation": ["Apply the fixes delivered in EGroupware 23.1.20260113 or 26.0.20260113 and discontinue use of older releases.", "Restrict or remove user permissions that allow use of the Nextmatch filter feature to limit the attack surface.", "Monitor application logs for anomalous SQL fragments or repeated failed queries that may indicate abuse of the vulnerable code path."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "All community editions of EGroupware running versions older than 23.1.20260113 and 26.0.20260113 are affected. The fix was delivered in those two releases, so any installation of those earlier versions must update to the patched releases.", "description_and_impact": "The flaw is a classic SQL injection in the Nextmatch filter handling of EGroupware. An authenticated user can submit JSON-encoded input that is decoded into numeric values, bypassing the is_int() security check that protects the WHERE clause of database queries. This type juggling mistake enables the attacker to inject and execute arbitrary SQL statements, potentially reading, modifying, or deleting data from the database. The vulnerability resides in core PHP code used by the web\u2011based groupware interface.", "risk_and_exploitability": "The CVSS score of 8.7 signals high severity, while the EPSS score is less than 1\u202f%, indicating a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation has been confirmed yet. An attacker must first be authenticated to EGroupware, but once logged in they can craft malicious Nextmatch filter parameters to inject SQL, with the potential for significant data exposure or alteration depending on database access rights."}}}}, "created": "2026-01-29T09:09:27.029359+00:00", "updated": "2026-04-18T01:45:33.403945+00:00", "vendors": ["egroupware", "egroupware$PRODUCT$egroupware"]}