CVE-2026-22243
published 2026-01-28CVE-2026-22243: EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.36%
27.9th percentile
EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| egroupware | egroupware | < 26.0.20260113 | 26.0.20260113 |
| egroupware | egroupware | < 23.1.20260113 | 23.1.20260113 |
| egroupware | egroupware | >= 0 < 23.1.20260113 | 23.1.20260113 |
| egroupware | egroupware | >= 26.0.20251208 < 26.0.20260113 | 26.0.20260113 |
| egroupware | egroupware | >= 26.0.20251208 < 26.0.20260113 | 26.0.20260113 |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL Injection via Nextmatch filter processing — look for anomalous SQL metacharacters or injected clauses in WHERE conditions originating from Nextmatch filter parameters in EGroupware HTTP requests. ↗
- →Exploitation relies on PHP type juggling: JSON-decoded numeric strings become integers, bypassing the is_int() check. Monitor for JSON-encoded numeric filter values in EGroupware Nextmatch API requests that result in unexpected integer types server-side. ↗
- →Target component is the EGroupware Nextmatch filter processing subsystem. Focus WAF/IDS rules and log review on requests targeting Nextmatch filter endpoints in EGroupware installations running versions prior to 23.1.20260113 or 26.0.20260113. ↗
- →Vulnerability requires authentication — prioritize detection of SQL injection patterns from authenticated sessions in EGroupware access logs, as unauthenticated exploitation is not possible. ↗
- ·A public exploit exists for this vulnerability, raising the urgency of patching or mitigating EGroupware instances. Patch to versions 23.1.20260113 or 26.0.20260113. ↗
- ·The affected package is egroupware/egroupware (Composer). Ensure dependency scanning covers this package in PHP environments. ↗
- ·Fix was added on January 29, 2026. Installations not yet updated to patched versions 23.1.20260113 or 26.0.20260113 remain vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
EGroupware has SQL Injection in Nextmatch Filter Processing
ghsa·2026-01-28
CVE-2026-22243 [HIGH] CWE-89 EGroupware has SQL Injection in Nextmatch Filter Processing
EGroupware has SQL Injection in Nextmatch Filter Processing
### Summary
**Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing**
A critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application.
### Details
**Root Cause Analysis**
The vulnerability exists in how the database abstraction layer (`Api\Db`) and high-level storage classes (`Api\Storage\Base`, `infolog_so`) process the `col_filter` array used
OSV
EGroupware has SQL Injection in Nextmatch Filter Processing
osv·2026-01-28
CVE-2026-22243 [HIGH] EGroupware has SQL Injection in Nextmatch Filter Processing
EGroupware has SQL Injection in Nextmatch Filter Processing
### Summary
**Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing**
A critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application.
### Details
**Root Cause Analysis**
The vulnerability exists in how the database abstraction layer (`Api\Db`) and high-level storage classes (`Api\Storage\Base`, `infolog_so`) process the `col_filter` array used
No detection rules found.
No public exploits indexed.
2026-01-28
Published