Jan 28, 2026·6 min read·41 visits
EGroupware trusted JSON integers to be safe. They weren't. By sending native integers in a JSON payload, attackers bypass input sanitization that expects strings, injecting unquoted values directly into SQL queries. This allows for database type confusion and unauthorized data access.
A high-severity SQL injection vulnerability in EGroupware's Nextmatch widget allows authenticated attackers to manipulate database queries via JSON type juggling. By leveraging PHP's strict integer handling against a database's implicit casting, attackers can bypass quoting mechanisms and potentially exfiltrate sensitive data or modify records.
In the world of web security, we often obsess over strings. We strip tags, we escape quotes, and we panic over apostrophes. But what happens when the input isn't a string? EGroupware, a robust collaboration platform used by enterprises, fell into a classic trap: assuming that if something looks like a number and smells like a number, it can't possibly be a weapon.
The vulnerability resides in the Nextmatch widget, the core component responsible for rendering lists, calendars, and address books. It's the gatekeeper that decides what you see. To handle complex filtering, Nextmatch accepts JSON payloads. And this is where the plot thickens. JSON supports native types—booleans, nulls, and most importantly, integers.
PHP, being the loosely-typed chaotic neutral language we all love (and fear), interacts with these JSON types in interesting ways. When a developer writes code expecting a standard HTTP POST request (where everything is a string), they might not anticipate the behavior of json_decode. This cognitive gap turned a routine filter feature into a high-severity hole, earning it a CVSS score of 8.7.
The root cause of CVE-2026-22243 is a subtle logic error in how filters are sanitized. The application logic followed a seemingly sound principle: strict validation. Before putting a user-supplied value into a SQL WHERE clause, the code checked its type.
Here is the logic in pseudocode: "If the value is an integer, it's safe. Append it. If it's anything else (like a string), quote and escape it." This relies on the PHP function is_int(). In a standard web request (application/x-www-form-urlencoded), every input is a string. Even id=123 arrives as the string "123". In that scenario, is_int("123") returns false, and the value gets safely quoted as '123'.
But JSON is different. When json_decode processes {"id": 123}, it creates a native PHP integer. Now, is_int(123) returns true. The application sees this, says "Trust me, I'm an engineer," and concatenates the value directly into the SQL string without quotes. This removes the protective layer of quotes, exposing the database to Type Confusion attacks or logic manipulation via numeric literals.
Let's look at the vulnerable pattern. The code likely resembled this simplified logic inside Nextmatch.php:
// VULNERABLE LOGIC
$filter = json_decode($json_input, true);
$query = "SELECT * FROM contacts WHERE ";
foreach ($filter as $col => $val) {
// If it's a native integer, use it directly
if (is_int($val)) {
$query .= $col . " = " . $val;
} else {
// Otherwise, escape and quote it
$query .= $col . " = '" . $db->quote($val) . "'";
}
}The fix implementation (released Jan 13, 2026) forces strict handling regardless of the input type. It stops treating integers as a special "safe" class that deserves unquoted access. The patch ensures that all user inputs, regardless of their JSON data type, are treated with suspicion and properly parameterized or cast explicitly before query construction.
// FIXED LOGIC
// Treat everything as a parameter or force quoting
$query .= $col . " = '" . $db->quote((string)$val) . "'";
// OR better yet, use prepared statements bindingSo how do we exploit this? We can't inject UNION SELECT because is_int() is strict—it won't accept strings containing SQL keywords. However, we can perform Database Type Juggling. This is where the PHP type juggling vulnerability hands the baton to the Database type juggling vulnerability.
Imagine a query filtering by a text column, like username. Normally, the query is WHERE username = 'admin'. If we inject a 0 via JSON ({"username": 0}), the query becomes WHERE username = 0 (no quotes).
In many database configurations (especially older MySQL/MariaDB versions or specific modes), comparing a string column to the integer 0 results in true for every row that doesn't start with a number. This effectively becomes WHERE true.
Attack Scenario:
Nextmatch filter request.status or owner) to the integer 0 or a boolean true (which PHP might cast to 1).SELECT * FROM secret_table WHERE owner = 0.owner string column to integers. Strings like "admin" become 0. The condition matches. The attacker sees data they shouldn't.While this isn't a "drop table" RCE (Remote Code Execution) scenario immediately, the impact is severe for confidentiality and integrity. The vulnerability allows an authenticated user—potentially a low-privileged employee—to bypass horizontal privilege escalation controls.
By manipulating filters:
owner_id checks.status=1 means "Approved", injecting unquoted integers might allow manipulating workflow states if the application relies on string comparisons that are subverted by the injection.The CVSS score of 8.7 reflects this high impact on confidentiality and integrity without requiring user interaction.
Mitigation is straightforward but requires code changes. You cannot fix this with a WAF easily because the payload ({"id": 0}) looks perfectly legitimate. The fix must occur in the PHP logic.
For Administrators: Update EGroupware immediately to version 23.1.20260113 or 26.0.20260113. If you are running an older version, you are exposed.
For Developers:
Stop trusting is_int(), is_numeric(), or gettype() for security decisions regarding SQL generation. Always use Prepared Statements (parameterized queries). If you must build dynamic SQL strings (which you shouldn't), treat every input as hostile and ensure it is enclosed in quotes, regardless of whether PHP thinks it's a harmless integer.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N| Product | Affected Versions | Fixed Version |
|---|---|---|
EGroupware EGroupware | < 23.1.20260113 | 23.1.20260113 |
EGroupware EGroupware | < 26.0.20260113 | 26.0.20260113 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-89 (SQL Injection) |
| Attack Vector | Network (Authenticated) |
| CVSS Score | 8.7 (High) |
| Exploit Status | No Public PoC |
| Root Cause | PHP Type Juggling / JSON Decoding |
| Affected Component | Nextmatch Filter Widget |
An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.
An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.
The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.
An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.
GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.
An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.