Remote Code Execution Vulnerability in GLPI Plugin by Plugins GLPI
CVE-2026-23489

9.1CRITICAL

Key Information:

Status
Vendor
CVE Published:
16 March 2026

What is CVE-2026-23489?

The GLPI Fields plugin, designed to enhance GLPI item forms with custom fields, contains a significant vulnerability that permits users allowed to create dropdowns to execute arbitrary PHP code. This oversight affects versions prior to 1.23.3 and has been addressed in the latest update. Organizations using this plugin are urged to upgrade to version 1.23.3 or later to mitigate potential security risks.

Affected Version(s)

fields < 1.23.3

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.