CVE-2026-22243: EGroupware has SQL Injection in Nextmatch Filter Processing
Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing
A critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the Nextmatch filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the WHERE clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the is_int() security check used by the application.
References
- github.com/EGroupware/egroupware
- github.com/EGroupware/egroupware/releases/tag/23.1.20260113
- github.com/EGroupware/egroupware/releases/tag/26.0.20260113
- github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx
- github.com/advisories/GHSA-rvxj-7f72-mhrx
- nvd.nist.gov/vuln/detail/CVE-2026-22243
Code Behaviors & Features
Detect and mitigate CVE-2026-22243 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →