Description
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
Published: 2026-03-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Fields is a GLPI plugin used to add custom fields to GLPI item forms. This vulnerability allows an attacker with permission to create dropdowns to execute arbitrary PHP code on the GLPI server. As a result, the attacker can gain full control of the GLPI instance, compromising confidentiality, integrity, and availability. The weakness is an input validation flaw (CWE-20).

Affected Systems

The vulnerability affects the GLPI Fields plugin version 1.23.2 and earlier. Any instance of the plugin used before the 1.23.3 release is susceptible.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity Remote Code Execution capability. The EPSS score of <1% suggests that public exploitation is currently uncommon but still possible. The vulnerability is not listed in the CISA KEV collection. An attacker would need permission to create dropdowns in the plugin, which is typically restricted to administrators or trusted users. Once authorized, the attacker can supply malicious input during dropdown creation to trigger code execution.

Generated by OpenCVE AI on March 18, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GLPI Fields plugin to version 1.23.3 or later to patch the vulnerability.
  • Restrict permissions to create dropdowns to trusted administrators only.
  • Verify the GLPI configuration to ensure untrusted users cannot create custom fields.
  • Monitor system logs for suspicious dropdown creation activity.

Generated by OpenCVE AI on March 18, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Teclib-edition
Teclib-edition fields
CPEs cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*
Vendors & Products Teclib-edition
Teclib-edition fields

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Pluginsglpi
Pluginsglpi fields
Vendors & Products Pluginsglpi
Pluginsglpi fields

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
Title Fields GLPI plugin vulnerable to RCE in dropdown generation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Pluginsglpi Fields
Teclib-edition Fields
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T17:51:31.011Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23489

cve-icon Vulnrichment

Updated: 2026-03-16T17:46:44.588Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T18:16:06.800

Modified: 2026-03-18T13:57:05.093

Link: CVE-2026-23489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:09Z

Weaknesses