Description
EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.
Published: 2026-01-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The flaw is a classic SQL injection in the Nextmatch filter handling of EGroupware. An authenticated user can submit JSON-encoded input that is decoded into numeric values, bypassing the is_int() security check that protects the WHERE clause of database queries. This type juggling mistake enables the attacker to inject and execute arbitrary SQL statements, potentially reading, modifying, or deleting data from the database. The vulnerability resides in core PHP code used by the web‑based groupware interface.

Affected Systems

All community editions of EGroupware running versions older than 23.1.20260113 and 26.0.20260113 are affected. The fix was delivered in those two releases, so any installation of those earlier versions must update to the patched releases.

Risk and Exploitability

The CVSS score of 8.7 signals high severity, while the EPSS score is less than 1 %, indicating a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation has been confirmed yet. An attacker must first be authenticated to EGroupware, but once logged in they can craft malicious Nextmatch filter parameters to inject SQL, with the potential for significant data exposure or alteration depending on database access rights.

Generated by OpenCVE AI on April 18, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fixes delivered in EGroupware 23.1.20260113 or 26.0.20260113 and discontinue use of older releases.
  • Restrict or remove user permissions that allow use of the Nextmatch filter feature to limit the attack surface.
  • Monitor application logs for anomalous SQL fragments or repeated failed queries that may indicate abuse of the vulnerable code path.

Generated by OpenCVE AI on April 18, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rvxj-7f72-mhrx EGroupware has SQL Injection in Nextmatch Filter Processing
History

Thu, 19 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:egroupware:egroupware:*:*:*:*:community:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Egroupware
Egroupware egroupware
Vendors & Products Egroupware
Egroupware egroupware

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.
Title EGroupware has SQL Injection in Nextmatch Filter Processing
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Egroupware Egroupware
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T16:28:24.378Z

Reserved: 2026-01-07T05:19:12.920Z

Link: CVE-2026-22243

cve-icon Vulnrichment

Updated: 2026-01-28T16:28:13.675Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T17:16:15.663

Modified: 2026-02-19T21:21:44.660

Link: CVE-2026-22243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses