Cyber Resilience

CVE-2026-23489

Critical

Published: 16 March 2026

Published
16 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0030 21.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23489 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Teclib-Edition Fields. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23489 affects the Fields plugin for GLPI, a tool that enables users to add custom fields to GLPI item forms. Prior to version 1.23.3, the plugin contains a vulnerability allowing arbitrary PHP code execution by users with permission to create dropdowns. The flaw is classified under CWE-20 (Improper Input Validation) and received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). It was published on 2026-03-16.

Users with high privileges (PR:H), such as those allowed to create dropdowns, can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation changes scope (S:C) and grants high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), enabling attackers to execute arbitrary PHP code on the server hosting the GLPI instance.

The issue has been addressed in Fields plugin version 1.23.3. Administrators should upgrade to this version or later to mitigate the vulnerability. Further details on the patch and remediation are provided in the GitHub security advisory at GHSA-rj7q-mmx9-fhq7 and the release notes at the 1.23.3 tag.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been…

more

patched in version 1.23.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability in the GLPI Fields plugin enables remote exploitation of a public-facing web application via improper input validation, allowing arbitrary PHP code execution by authenticated high-privilege users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22248Same vendor: Teclib-Edition
CVE-2025-48913Shared CWE-20
CVE-2025-67484Shared CWE-20
CVE-2026-4755Shared CWE-20
CVE-2025-54385Shared CWE-20
CVE-2026-48188Shared CWE-20
CVE-2026-22567Shared CWE-20
CVE-2026-26063Shared CWE-20
CVE-2024-36047Shared CWE-20
CVE-2025-37173Shared CWE-20

Affected Assets

teclib-edition
fields
≤ 1.23.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly enforces proper input validation at entry points, addressing the CWE-20 improper input validation that enables arbitrary PHP code execution in the Fields plugin.

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this plugin vulnerability, with patching to version 1.23.3 as the primary remediation.

prevent

AC-6 least privilege limits the number of high-privilege users (PR:H) able to create dropdowns and trigger the code execution vulnerability.

References