CVE-2026-22243 HIGH

CVE-2026-22243: EGroupware has SQL Injection in Nextmatch Filter Processing

Vendor Egroupware

Product egroupware

Weakness CWE-89 · SQLi

Published January 28, 2026

Last update January 28, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.

Key dates

02Disclosure timeline

January 28, 2026 CVE published

January 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22243 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2026-22243

CWE CWE-89

CVSS 8.7 / HIGH

Affected versions

Vendor Egroupware

Product egroupware

Affected < 23.1.20260113

Vendor Egroupware

Product egroupware

Affected < 26.0.20260113

CVE-2026-22243: EGroupware has SQL Injection in Nextmatch Filter Processing

01Description

02Disclosure timeline

03References

04Related CVE