Home / Vulnerability Intelligence / CVE-2026-23489

CVE-2026-23489 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 18, 2026

GLPI Fields - Remote Code Execution

Published: March 16, 2026Updated: March 18, 2026Remote Exploitable

Overview

GLPI Fields plugin < 1.23.3 contains a remote code execution caused by insufficient validation in dropdown creation, letting users with dropdown creation permissions execute arbitrary PHP code, exploit requires dropdown creation privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 7.7%(Probability of exploitation in next 30 days)

Impact

Users with dropdown creation permissions can execute arbitrary PHP code, potentially leading to full system compromise.

Mitigation

Update to version 1.23.3 or later.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 17, 2026

🚨 CVE-2026-23489 (CRITICAL, CVSS 9.1): GLPI 'fields' plugin (<1.23.3) allows privileged users to execute arbitrary PHP code (RCE risk). Patch to 1.23.3+, review permissions, and monitor activity. https://radar.offseq.com/threat/cve-2026-23489-cwe-20-improper-input-validation-in-9483a14f #OffSeq #GLPI #CVE202623489 #infosec

View original post

Related Resources

Details

CVE ID: CVE-2026-23489
Severity: Critical
CVSS Score: 9.1
Type: command_injection
Status: confirmed
EPSS: 7.7%
Social Posts: 1

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

7.7%Probability of exploitation in the next 30 days