CVE-2026-23489

Teclib · GLPI Fields Plugin

The GLPI Fields plugin is vulnerable to arbitrary PHP code execution due to insufficient input validation when creating custom dropdown fields.

Executive summary

A critical vulnerability in the GLPI Fields plugin allows authenticated users with specific permissions to execute arbitrary PHP code on the underlying server.

Vulnerability

This is an arbitrary code execution vulnerability occurring within the plugin's form handling logic. The flaw is triggered when users with the capability to create dropdowns provide malicious input that is processed without adequate sanitization.

Business impact

The ability to execute arbitrary PHP code grants an attacker full control over the application's environment. This poses a severe risk of complete data breach, unauthorized modification of records, and potential lateral movement within the hosting infrastructure. The CVSS score of 9.1 reflects the high potential for total system compromise.

Remediation

Immediate Action: Upgrade the GLPI Fields plugin to version 1.23.3 or later immediately to resolve the vulnerable code path.

Proactive Monitoring: Review application and system logs for unexpected PHP execution or modifications to plugin configuration files.

Compensating Controls: Restrict administrative privileges for the "create dropdowns" function to only trusted, essential personnel until the patch is applied.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of this remote code execution vulnerability, immediate patching is required. Administrators should verify their plugin version and apply the update to version 1.23.3 without delay to ensure the integrity and security of the GLPI environment.