← Back
2026-03-16 17:12CVE-2026-23489GitHub_M
PUBLISHED5.2CWE-20

Fields GLPI plugin vulnerable to RCE in dropdown generation

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.

Problem type

Affected products

pluginsGLPI

fields

< 1.23.3 - AFFECTED

References

https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7

https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7

x_refsource_CONFIRM
https://github.com/pluginsGLPI/fields/releases/tag/1.23.3

https://github.com/pluginsGLPI/fields/releases/tag/1.23.3

x_refsource_MISC

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-23489
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-23489",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-03-16T17:51:31.011Z",
    "dateReserved": "2026-01-13T15:47:41.628Z",
    "datePublished": "2026-03-16T17:12:43.964Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-03-16T17:12:43.964Z"
      },
      "title": "Fields GLPI plugin vulnerable to RCE in dropdown generation",
      "descriptions": [
        {
          "lang": "en",
          "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3."
        }
      ],
      "affected": [
        {
          "vendor": "pluginsGLPI",
          "product": "fields",
          "versions": [
            {
              "version": "< 1.23.3",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-20: Improper Input Validation",
              "cweId": "CWE-20",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7",
          "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.23.3",
          "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.23.3",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "HIGH",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL"
          }
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-16T17:51:31.011Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}