Cyber Posture

CVE-2026-23489

Critical

Published: 16 March 2026

Published
16 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0013 32.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23489 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Teclib-Edition Fields. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly enforces proper input validation at entry points, addressing the CWE-20 improper input validation that enables arbitrary PHP code execution in the Fields plugin.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of flaws like this plugin vulnerability, with patching to version 1.23.3 as the primary remediation.

AC-6 Least Privilege partial match
prevent

AC-6 least privilege limits the number of high-privilege users (PR:H) able to create dropdowns and trigger the code execution vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability in the GLPI Fields plugin enables remote exploitation of a public-facing web application via improper input validation, allowing arbitrary PHP code execution by authenticated high-privilege users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been…

more

patched in version 1.23.3.

Deeper analysisAI

CVE-2026-23489 affects the Fields plugin for GLPI, a tool that enables users to add custom fields to GLPI item forms. Prior to version 1.23.3, the plugin contains a vulnerability allowing arbitrary PHP code execution by users with permission to create dropdowns. The flaw is classified under CWE-20 (Improper Input Validation) and received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). It was published on 2026-03-16.

Users with high privileges (PR:H), such as those allowed to create dropdowns, can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation changes scope (S:C) and grants high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), enabling attackers to execute arbitrary PHP code on the server hosting the GLPI instance.

The issue has been addressed in Fields plugin version 1.23.3. Administrators should upgrade to this version or later to mitigate the vulnerability. Further details on the patch and remediation are provided in the GitHub security advisory at GHSA-rj7q-mmx9-fhq7 and the release notes at the 1.23.3 tag.

Details

CWE(s)
CWE-20

Affected Products

teclib-edition
fields
≤ 1.23.3

CVEs Like This One

CVE-2026-22248Same vendor: Teclib-Edition
CVE-2026-3204Shared CWE-20
CVE-2025-8769Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2025-48913Shared CWE-20
CVE-2025-1736Shared CWE-20
CVE-2026-27304Shared CWE-20
CVE-2024-42175Shared CWE-20
CVE-2025-23268Shared CWE-20
CVE-2026-26106Shared CWE-20

References