CVE-2026-23489

Critical

Published: 16 March 2026

Published

16 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0013 32.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been…

patched in version 1.23.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly enforces proper input validation at entry points, addressing the CWE-20 improper input validation that enables arbitrary PHP code execution in the Fields plugin.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this plugin vulnerability, with patching to version 1.23.3 as the primary remediation.

AC-6 Least Privilege partial match

prevent

AC-6 least privilege limits the number of high-privilege users (PR:H) able to create dropdowns and trigger the code execution vulnerability.

Security SummaryAI

CVE-2026-23489 affects the Fields plugin for GLPI, a tool that enables users to add custom fields to GLPI item forms. Prior to version 1.23.3, the plugin contains a vulnerability allowing arbitrary PHP code execution by users with permission to create dropdowns. The flaw is classified under CWE-20 (Improper Input Validation) and received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). It was published on 2026-03-16.

Users with high privileges (PR:H), such as those allowed to create dropdowns, can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation changes scope (S:C) and grants high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), enabling attackers to execute arbitrary PHP code on the server hosting the GLPI instance.

The issue has been addressed in Fields plugin version 1.23.3. Administrators should upgrade to this version or later to mitigate the vulnerability. Further details on the patch and remediation are provided in the GitHub security advisory at GHSA-rj7q-mmx9-fhq7 and the release notes at the 1.23.3 tag.

Details

CWE(s): CWE-20

Affected Products

teclib-edition

fields

≤ 1.23.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability in the GLPI Fields plugin enables remote exploitation of a public-facing web application via improper input validation, allowing arbitrary PHP code execution by authenticated high-privilege users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/pluginsGLPI/fields/releases/tag/1.23.3
Product, Release Notes · security-advisories@github.com
https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7
Vendor Advisory · security-advisories@github.com