CVE-2026-23489
Received Received - Intake
Arbitrary PHP Code Execution in GLPI Fields Plugin Before

Publication date: 2026-03-16

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23489
EUVD
EUVD-2026-12456
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
teclib-edition fields to 1.23.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23489 is a critical remote code execution (RCE) vulnerability in the Fields plugin for GLPI, affecting versions up to 1.23.2. It allows users who have permission to create dropdowns to execute arbitrary PHP code due to improper input validation. This means that malicious input can be processed without proper checks, enabling attackers to run their own code on the server.

Impact Analysis

This vulnerability can have severe impacts including full compromise of the affected system. An attacker with the required privileges can execute arbitrary PHP code remotely, leading to complete loss of confidentiality, integrity, and availability of the system. This means sensitive data can be stolen or altered, and system operations can be disrupted or taken down.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the Fields plugin for GLPI to version 1.23.3 or later, where the issue has been patched.

Additionally, restrict permissions so that only trusted users have the ability to create dropdowns, as the vulnerability requires such privileges to be exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart