CVE-2026-23489
Teclib · GLPI Fields Plugin
The GLPI Fields plugin is vulnerable to arbitrary PHP code execution due to insufficient input validation when creating custom dropdown fields.
Executive summary
A critical vulnerability in the GLPI Fields plugin allows authenticated users with specific permissions to execute arbitrary PHP code on the underlying server.
Vulnerability
This is an arbitrary code execution vulnerability occurring within the plugin's form handling logic. The flaw is triggered when users with the capability to create dropdowns provide malicious input that is processed without adequate sanitization.
Business impact
The ability to execute arbitrary PHP code grants an attacker full control over the application's environment. This poses a severe risk of complete data breach, unauthorized modification of records, and potential lateral movement within the hosting infrastructure. The CVSS score of 9.1 reflects the high potential for total system compromise.
Remediation
Immediate Action: Upgrade the GLPI Fields plugin to version 1.23.3 or later immediately to resolve the vulnerable code path.
Proactive Monitoring: Review application and system logs for unexpected PHP execution or modifications to plugin configuration files.
Compensating Controls: Restrict administrative privileges for the "create dropdowns" function to only trusted, essential personnel until the patch is applied.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this remote code execution vulnerability, immediate patching is required. Administrators should verify their plugin version and apply the update to version 1.23.3 without delay to ensure the integrity and security of the GLPI environment.