CVE-2026-23489CRITICAL 9.1EPSS p21.5%

CVE-2026-23489CVE-2026-23489

Description

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.5% · 2026-06-19T12:03:05Z
Published2026-03-16
Last modified2026-03-18

Underlying weaknesses· 1

CWE-20

References

  1. https://github.com/pluginsGLPI/fields/releases/tag/1.23.3
  2. https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-13486
CVE
CVE-2025-24801
CVE
CVE-2026-22248
CVE
Drupal Core Remote Code Execution Vulnerability
CVE
CVE-2026-26001
CVE
CVE-2026-22044
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.