cbcvebase.
CVE-2026-22243
published 2026-01-28

CVE-2026-22243: EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.36%
27.9th percentile
EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.

Affected

5 ranges
VendorProductVersion rangeFixed in
egroupwareegroupware< 26.0.2026011326.0.20260113
egroupwareegroupware< 23.1.2026011323.1.20260113
egroupwareegroupware>= 0 < 23.1.2026011323.1.20260113
egroupwareegroupware>= 26.0.20251208 < 26.0.2026011326.0.20260113
egroupwareegroupware>= 26.0.20251208 < 26.0.2026011326.0.20260113

Detection & IOCsextracted from sources · hover to see the quote

  • SQL Injection via Nextmatch filter processing — look for anomalous SQL metacharacters or injected clauses in WHERE conditions originating from Nextmatch filter parameters in EGroupware HTTP requests.
  • Exploitation relies on PHP type juggling: JSON-decoded numeric strings become integers, bypassing the is_int() check. Monitor for JSON-encoded numeric filter values in EGroupware Nextmatch API requests that result in unexpected integer types server-side.
  • Target component is the EGroupware Nextmatch filter processing subsystem. Focus WAF/IDS rules and log review on requests targeting Nextmatch filter endpoints in EGroupware installations running versions prior to 23.1.20260113 or 26.0.20260113.
  • Vulnerability requires authentication — prioritize detection of SQL injection patterns from authenticated sessions in EGroupware access logs, as unauthenticated exploitation is not possible.
  • ·A public exploit exists for this vulnerability, raising the urgency of patching or mitigating EGroupware instances. Patch to versions 23.1.20260113 or 26.0.20260113.
  • ·The affected package is egroupware/egroupware (Composer). Ensure dependency scanning covers this package in PHP environments.
  • ·Fix was added on January 29, 2026. Installations not yet updated to patched versions 23.1.20260113 or 26.0.20260113 remain vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.