CRITICALCVE-2026-23489Published 2026-03-16Modified 2026-03-16CNA GitHub_M

CVE-2026-23489: Fields GLPI plugin vulnerable to RCE in dropdown generation

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

pluginsGLPI / fields
< 1.23.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7
https://github.com/pluginsGLPI/fields/releases/tag/1.23.3

Metrics