Search criteria
548 vulnerabilities found for GLPI by Glpi-Project
FKIE_CVE-2026-23624
Vulnerability from fkie_nvd - Published: 2026-02-04 18:16 - Updated: 2026-02-06 21:18
Severity ?
4.3 (Medium) - CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * | |
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D09C27B0-C82A-4F14-845D-FF7991EDBBE4",
"versionEndExcluding": "10.0.23",
"versionStartIncluding": "0.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C13BB849-4C19-473A-B105-57915EE59C49",
"versionEndExcluding": "11.0.5",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions ."
}
],
"id": "CVE-2026-23624",
"lastModified": "2026-02-06T21:18:17.370",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-04T18:16:08.913",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2026-22247
Vulnerability from fkie_nvd - Published: 2026-02-04 18:16 - Updated: 2026-02-06 21:19
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C13BB849-4C19-473A-B105-57915EE59C49",
"versionEndExcluding": "11.0.5",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5."
}
],
"id": "CVE-2026-22247",
"lastModified": "2026-02-06T21:19:00.433",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-04T18:16:08.753",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2026-22044
Vulnerability from fkie_nvd - Published: 2026-02-04 18:16 - Updated: 2026-02-06 21:19
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD484FC7-BC66-4499-B835-378F634F8155",
"versionEndExcluding": "10.0.23",
"versionStartIncluding": "0.85",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23."
}
],
"id": "CVE-2026-22044",
"lastModified": "2026-02-06T21:19:53.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-04T18:16:08.580",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-66417
Vulnerability from fkie_nvd - Published: 2026-01-15 17:16 - Updated: 2026-01-21 20:54
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9EA5DDA-E0E7-4530-B266-309AF584D327",
"versionEndExcluding": "11.0.3",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From 11.0.0, \u003c 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3."
}
],
"id": "CVE-2025-66417",
"lastModified": "2026-01-21T20:54:11.157",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-01-15T17:16:04.733",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-64516
Vulnerability from fkie_nvd - Published: 2026-01-15 16:16 - Updated: 2026-01-21 20:53
Severity ?
Summary
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * | |
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71497A1A-8C87-48D5-9BA2-CFFF057BC3A7",
"versionEndExcluding": "10.0.21",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9EA5DDA-E0E7-4530-B266-309AF584D327",
"versionEndExcluding": "11.0.3",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3."
}
],
"id": "CVE-2025-64516",
"lastModified": "2026-01-21T20:53:37.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-15T16:16:11.487",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.21"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2023-53943
Vulnerability from fkie_nvd - Published: 2025-12-18 20:15 - Updated: 2025-12-31 17:34
Severity ?
Summary
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
References
| URL | Tags | ||
|---|---|---|---|
| disclosure@vulncheck.com | https://glpi-project.org/pt-br/ | Product | |
| disclosure@vulncheck.com | https://www.exploit-db.com/exploits/51418 | Exploit, Third Party Advisory | |
| disclosure@vulncheck.com | https://www.vulncheck.com/advisories/glpi-username-enumeration-vulnerability-via-lost-password-endpoint | Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.exploit-db.com/exploits/51418 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | 9.5.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:9.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "33DAB2AC-0B1F-4212-942B-574822C432E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts."
}
],
"id": "CVE-2023-53943",
"lastModified": "2025-12-31T17:34:30.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-12-18T20:15:52.940",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Product"
],
"url": "https://glpi-project.org/pt-br/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.exploit-db.com/exploits/51418"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/glpi-username-enumeration-vulnerability-via-lost-password-endpoint"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.exploit-db.com/exploits/51418"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-203"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64520
Vulnerability from fkie_nvd - Published: 2025-12-16 22:15 - Updated: 2026-02-19 16:20
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CB32F29-AA61-4565-A618-E9F88B16669C",
"versionEndExcluding": "10.0.21",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch."
}
],
"id": "CVE-2025-64520",
"lastModified": "2026-02-19T16:20:09.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-12-16T22:15:48.250",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-59935
Vulnerability from fkie_nvd - Published: 2025-12-16 17:16 - Updated: 2026-02-02 14:59
Severity ?
Summary
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71497A1A-8C87-48D5-9BA2-CFFF057BC3A7",
"versionEndExcluding": "10.0.21",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch."
}
],
"id": "CVE-2025-59935",
"lastModified": "2026-02-02T14:59:28.943",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-12-16T17:16:10.137",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-53357
Vulnerability from fkie_nvd - Published: 2025-07-30 15:15 - Updated: 2025-08-04 18:57
Severity ?
Summary
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E1D7EB0-B6FF-4D1A-8B1C-F206E38D3839",
"versionEndExcluding": "10.0.19",
"versionStartIncluding": "0.78",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19."
},
{
"lang": "es",
"value": "GLPI, acr\u00f3nimo de Gestionnaire Libre de Parc Informatique, es un paquete de software gratuito para la gesti\u00f3n de activos y TI que ofrece funciones de ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. En las versiones 0.78 a 10.0.18, un usuario conectado pod\u00eda modificar las reservas de otro usuario. Esto se solucion\u00f3 en la versi\u00f3n 10.0.19."
}
],
"id": "CVE-2025-53357",
"lastModified": "2025-08-04T18:57:31.007",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-30T15:15:35.060",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x9mj-822q-6cf8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53112
Vulnerability from fkie_nvd - Published: 2025-07-30 15:15 - Updated: 2025-08-04 18:56
Severity ?
Summary
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9660BBBA-49A7-49AA-A6AA-EFD678B5F07A",
"versionEndExcluding": "10.0.19",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19."
},
{
"lang": "es",
"value": "GLPI es un paquete gratuito de software de gesti\u00f3n de activos y TI que ofrece funciones de ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. En las versiones 9.1.0 a 10.0.18, la falta de comprobaciones de permisos pod\u00eda provocar la eliminaci\u00f3n no autorizada de algunos recursos espec\u00edficos. Esto se ha corregido en la versi\u00f3n 10.0.19."
}
],
"id": "CVE-2025-53112",
"lastModified": "2025-08-04T18:56:49.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-30T15:15:34.767",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rp7w-6343-3m2r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53113
Vulnerability from fkie_nvd - Published: 2025-07-30 15:15 - Updated: 2025-08-04 18:57
Severity ?
Summary
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "161A078A-0555-4A8D-AF40-840E28DC6962",
"versionEndExcluding": "10.0.19",
"versionStartIncluding": "0.65",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19."
},
{
"lang": "es",
"value": "GLPI, acr\u00f3nimo de Gestionnaire Libre de Parc Informatique, es un paquete de software gratuito para la gesti\u00f3n de activos y TI que ofrece funciones de ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. En las versiones 0.65 a 10.0.18, un t\u00e9cnico puede usar la funci\u00f3n de enlaces externos para obtener informaci\u00f3n sobre elementos a los que no tiene acceso. Esto se solucion\u00f3 en la versi\u00f3n 10.0.19."
}
],
"id": "CVE-2025-53113",
"lastModified": "2025-08-04T18:57:15.473",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-30T15:15:34.910",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-r2mm-6499-4m8j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53111
Vulnerability from fkie_nvd - Published: 2025-07-30 15:15 - Updated: 2025-08-04 18:56
Severity ?
Summary
GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| glpi-project | glpi | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC98CD8D-2159-43BA-8936-10472110016A",
"versionEndExcluding": "10.0.19",
"versionStartIncluding": "0.80",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19."
},
{
"lang": "es",
"value": "GLPI es un paquete gratuito de software de gesti\u00f3n de activos y TI. En las versiones 0.80 a 10.0.18, la falta de verificaci\u00f3n de permisos puede provocar acceso no autorizado a algunos recursos. Esto se solucion\u00f3 en la versi\u00f3n 10.0.19."
}
],
"id": "CVE-2025-53111",
"lastModified": "2025-08-04T18:56:30.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-30T15:15:34.617",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p665-mqcr-j96j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2026-22044 (GCVE-0-2026-22044)
Vulnerability from cvelistv5 – Published: 2026-02-04 17:15 – Updated: 2026-02-04 19:27
VLAI?
Title
GLPI is Vulnerable to Authenticated SQL Injection
Summary
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 0.85, < 10.0.23
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:27:25.137739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:27:43.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.85, \u003c 10.0.23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T17:15:39.205Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"
}
],
"source": {
"advisory": "GHSA-569q-j526-w385",
"discovery": "UNKNOWN"
},
"title": "GLPI is Vulnerable to Authenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22044",
"datePublished": "2026-02-04T17:15:39.205Z",
"dateReserved": "2026-01-05T22:30:38.720Z",
"dateUpdated": "2026-02-04T19:27:43.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23624 (GCVE-0-2026-23624)
Vulnerability from cvelistv5 – Published: 2026-02-04 17:15 – Updated: 2026-02-04 19:56
VLAI?
Title
GLPI is vulnerable to session stealing on externally authenticated user change
Summary
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .
Severity ?
4.3 (Medium)
CWE
- CWE-384 - Session Fixation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 0.71, < 10.0.23
Affected: >= 11.0.0-alpha, < 11.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:56:08.999117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:56:27.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.71, \u003c 10.0.23"
},
{
"status": "affected",
"version": "\u003e= 11.0.0-alpha, \u003c 11.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T17:15:33.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"
}
],
"source": {
"advisory": "GHSA-5j4j-vx46-r477",
"discovery": "UNKNOWN"
},
"title": "GLPI is vulnerable to session stealing on externally authenticated user change"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23624",
"datePublished": "2026-02-04T17:15:33.750Z",
"dateReserved": "2026-01-14T16:08:37.482Z",
"dateUpdated": "2026-02-04T19:56:27.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22247 (GCVE-0-2026-22247)
Vulnerability from cvelistv5 – Published: 2026-02-04 17:10 – Updated: 2026-02-05 14:33
VLAI?
Title
GLPI is Vulnerable to SSRF via Webhooks
Summary
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
Severity ?
4.1 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 11.0.0, < 11.0.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:20:18.955924Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:33:19.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T17:10:30.153Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"
}
],
"source": {
"advisory": "GHSA-f6f6-v3qr-9p5x",
"discovery": "UNKNOWN"
},
"title": "GLPI is Vulnerable to SSRF via Webhooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22247",
"datePublished": "2026-02-04T17:10:30.153Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-02-05T14:33:19.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66417 (GCVE-0-2025-66417)
Vulnerability from cvelistv5 – Published: 2026-01-15 16:25 – Updated: 2026-01-15 16:45
VLAI?
Title
GLPI has an unauthenticated SQL injection through the inventory endpoint
Summary
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 11.0.0, < 11.0.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T16:45:18.351294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:45:31.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From 11.0.0, \u003c 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:25:03.467Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9"
}
],
"source": {
"advisory": "GHSA-p467-682w-9cc9",
"discovery": "UNKNOWN"
},
"title": "GLPI has an unauthenticated SQL injection through the inventory endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66417",
"datePublished": "2026-01-15T16:25:03.467Z",
"dateReserved": "2025-11-28T23:33:56.366Z",
"dateUpdated": "2026-01-15T16:45:31.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64516 (GCVE-0-2025-64516)
Vulnerability from cvelistv5 – Published: 2026-01-15 16:01 – Updated: 2026-01-15 16:08
VLAI?
Title
GLPI incorrectly authorizes access to documents
Summary
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 10.0.0, < 10.0.21
Affected: >= 11.0.0, < 11.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T16:08:14.106937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:08:18.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.0.21"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:01:03.470Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46"
},
{
"name": "https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c"
},
{
"name": "https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.21"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.3"
}
],
"source": {
"advisory": "GHSA-487h-7mxm-7r46",
"discovery": "UNKNOWN"
},
"title": "GLPI incorrectly authorizes access to documents"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64516",
"datePublished": "2026-01-15T16:01:03.470Z",
"dateReserved": "2025-11-05T21:15:39.400Z",
"dateUpdated": "2026-01-15T16:08:18.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53943 (GCVE-0-2023-53943)
Vulnerability from cvelistv5 – Published: 2025-12-18 19:53 – Updated: 2025-12-18 21:19
VLAI?
Title
GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint
Summary
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
Severity ?
5.3 (Medium)
CWE
- CWE-203 - Observable Discrepancy
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Glpi-Project | GLPI |
Affected:
9.5.7
|
Credits
Rafael B.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53943",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T21:01:27.912804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T21:19:27.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51418"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GLPI",
"vendor": "Glpi-Project",
"versions": [
{
"status": "affected",
"version": "9.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafael B."
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T19:53:36.242Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51418",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51418"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://glpi-project.org/pt-br/"
},
{
"name": "VulnCheck Advisory: GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/glpi-username-enumeration-vulnerability-via-lost-password-endpoint"
}
],
"title": "GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53943",
"datePublished": "2025-12-18T19:53:36.242Z",
"dateReserved": "2025-12-16T19:22:09.998Z",
"dateUpdated": "2025-12-18T21:19:27.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64520 (GCVE-0-2025-64520)
Vulnerability from cvelistv5 – Published: 2025-12-16 21:59 – Updated: 2025-12-17 21:09
VLAI?
Title
GLPI vulnerable to unauthorized access to restricted Knowledge Base items through the API
Summary
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 9.1.0, < 10.0.21
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64520",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:08:57.867435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:09:17.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.1.0, \u003c 10.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T21:59:02.772Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q"
},
{
"name": "https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3"
}
],
"source": {
"advisory": "GHSA-62p9-prpq-j62q",
"discovery": "UNKNOWN"
},
"title": "GLPI vulnerable to unauthorized access to restricted Knowledge Base items through the API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64520",
"datePublished": "2025-12-16T21:59:02.772Z",
"dateReserved": "2025-11-05T21:15:39.400Z",
"dateUpdated": "2025-12-17T21:09:17.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59935 (GCVE-0-2025-59935)
Vulnerability from cvelistv5 – Published: 2025-12-16 16:34 – Updated: 2025-12-16 17:15
VLAI?
Title
GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page
Summary
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 10.0.0, < 10.0.21
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T17:15:15.316595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T17:15:24.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T16:34:46.251Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx"
}
],
"source": {
"advisory": "GHSA-j8vv-9f8m-r7jx",
"discovery": "UNKNOWN"
},
"title": "GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59935",
"datePublished": "2025-12-16T16:34:46.251Z",
"dateReserved": "2025-09-23T14:33:49.505Z",
"dateUpdated": "2025-12-16T17:15:24.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53105 (GCVE-0-2025-53105)
Vulnerability from cvelistv5 – Published: 2025-08-27 14:40 – Updated: 2025-08-27 14:53
VLAI?
Title
GLPI permits unauthorized rules execution order
Summary
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 10.0.0, < 10.0.19
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T14:53:30.061288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T14:53:44.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T14:40:36.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-334r-2682-95wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-334r-2682-95wc"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.19"
}
],
"source": {
"advisory": "GHSA-334r-2682-95wc",
"discovery": "UNKNOWN"
},
"title": "GLPI permits unauthorized rules execution order"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53105",
"datePublished": "2025-08-27T14:40:36.061Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-08-27T14:53:44.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-22044 (GCVE-0-2026-22044)
Vulnerability from nvd – Published: 2026-02-04 17:15 – Updated: 2026-02-04 19:27
VLAI?
Title
GLPI is Vulnerable to Authenticated SQL Injection
Summary
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 0.85, < 10.0.23
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:27:25.137739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:27:43.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.85, \u003c 10.0.23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T17:15:39.205Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"
}
],
"source": {
"advisory": "GHSA-569q-j526-w385",
"discovery": "UNKNOWN"
},
"title": "GLPI is Vulnerable to Authenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22044",
"datePublished": "2026-02-04T17:15:39.205Z",
"dateReserved": "2026-01-05T22:30:38.720Z",
"dateUpdated": "2026-02-04T19:27:43.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23624 (GCVE-0-2026-23624)
Vulnerability from nvd – Published: 2026-02-04 17:15 – Updated: 2026-02-04 19:56
VLAI?
Title
GLPI is vulnerable to session stealing on externally authenticated user change
Summary
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .
Severity ?
4.3 (Medium)
CWE
- CWE-384 - Session Fixation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 0.71, < 10.0.23
Affected: >= 11.0.0-alpha, < 11.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:56:08.999117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:56:27.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.71, \u003c 10.0.23"
},
{
"status": "affected",
"version": "\u003e= 11.0.0-alpha, \u003c 11.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T17:15:33.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"
}
],
"source": {
"advisory": "GHSA-5j4j-vx46-r477",
"discovery": "UNKNOWN"
},
"title": "GLPI is vulnerable to session stealing on externally authenticated user change"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23624",
"datePublished": "2026-02-04T17:15:33.750Z",
"dateReserved": "2026-01-14T16:08:37.482Z",
"dateUpdated": "2026-02-04T19:56:27.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22247 (GCVE-0-2026-22247)
Vulnerability from nvd – Published: 2026-02-04 17:10 – Updated: 2026-02-05 14:33
VLAI?
Title
GLPI is Vulnerable to SSRF via Webhooks
Summary
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
Severity ?
4.1 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 11.0.0, < 11.0.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T14:20:18.955924Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T14:33:19.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T17:10:30.153Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"
}
],
"source": {
"advisory": "GHSA-f6f6-v3qr-9p5x",
"discovery": "UNKNOWN"
},
"title": "GLPI is Vulnerable to SSRF via Webhooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22247",
"datePublished": "2026-02-04T17:10:30.153Z",
"dateReserved": "2026-01-07T05:19:12.921Z",
"dateUpdated": "2026-02-05T14:33:19.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66417 (GCVE-0-2025-66417)
Vulnerability from nvd – Published: 2026-01-15 16:25 – Updated: 2026-01-15 16:45
VLAI?
Title
GLPI has an unauthenticated SQL injection through the inventory endpoint
Summary
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 11.0.0, < 11.0.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T16:45:18.351294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:45:31.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. From 11.0.0, \u003c 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:25:03.467Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9"
}
],
"source": {
"advisory": "GHSA-p467-682w-9cc9",
"discovery": "UNKNOWN"
},
"title": "GLPI has an unauthenticated SQL injection through the inventory endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66417",
"datePublished": "2026-01-15T16:25:03.467Z",
"dateReserved": "2025-11-28T23:33:56.366Z",
"dateUpdated": "2026-01-15T16:45:31.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64516 (GCVE-0-2025-64516)
Vulnerability from nvd – Published: 2026-01-15 16:01 – Updated: 2026-01-15 16:08
VLAI?
Title
GLPI incorrectly authorizes access to documents
Summary
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 10.0.0, < 10.0.21
Affected: >= 11.0.0, < 11.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T16:08:14.106937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:08:18.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.0.21"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:01:03.470Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46"
},
{
"name": "https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c"
},
{
"name": "https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.21"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.3"
}
],
"source": {
"advisory": "GHSA-487h-7mxm-7r46",
"discovery": "UNKNOWN"
},
"title": "GLPI incorrectly authorizes access to documents"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64516",
"datePublished": "2026-01-15T16:01:03.470Z",
"dateReserved": "2025-11-05T21:15:39.400Z",
"dateUpdated": "2026-01-15T16:08:18.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53943 (GCVE-0-2023-53943)
Vulnerability from nvd – Published: 2025-12-18 19:53 – Updated: 2025-12-18 21:19
VLAI?
Title
GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint
Summary
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
Severity ?
5.3 (Medium)
CWE
- CWE-203 - Observable Discrepancy
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Glpi-Project | GLPI |
Affected:
9.5.7
|
Credits
Rafael B.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53943",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T21:01:27.912804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T21:19:27.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51418"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GLPI",
"vendor": "Glpi-Project",
"versions": [
{
"status": "affected",
"version": "9.5.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafael B."
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T19:53:36.242Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51418",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51418"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://glpi-project.org/pt-br/"
},
{
"name": "VulnCheck Advisory: GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/glpi-username-enumeration-vulnerability-via-lost-password-endpoint"
}
],
"title": "GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53943",
"datePublished": "2025-12-18T19:53:36.242Z",
"dateReserved": "2025-12-16T19:22:09.998Z",
"dateUpdated": "2025-12-18T21:19:27.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64520 (GCVE-0-2025-64520)
Vulnerability from nvd – Published: 2025-12-16 21:59 – Updated: 2025-12-17 21:09
VLAI?
Title
GLPI vulnerable to unauthorized access to restricted Knowledge Base items through the API
Summary
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 9.1.0, < 10.0.21
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64520",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T21:08:57.867435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T21:09:17.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.1.0, \u003c 10.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T21:59:02.772Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q"
},
{
"name": "https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3"
}
],
"source": {
"advisory": "GHSA-62p9-prpq-j62q",
"discovery": "UNKNOWN"
},
"title": "GLPI vulnerable to unauthorized access to restricted Knowledge Base items through the API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64520",
"datePublished": "2025-12-16T21:59:02.772Z",
"dateReserved": "2025-11-05T21:15:39.400Z",
"dateUpdated": "2025-12-17T21:09:17.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59935 (GCVE-0-2025-59935)
Vulnerability from nvd – Published: 2025-12-16 16:34 – Updated: 2025-12-16 17:15
VLAI?
Title
GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page
Summary
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 10.0.0, < 10.0.21
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T17:15:15.316595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T17:15:24.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T16:34:46.251Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx"
}
],
"source": {
"advisory": "GHSA-j8vv-9f8m-r7jx",
"discovery": "UNKNOWN"
},
"title": "GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59935",
"datePublished": "2025-12-16T16:34:46.251Z",
"dateReserved": "2025-09-23T14:33:49.505Z",
"dateUpdated": "2025-12-16T17:15:24.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53105 (GCVE-0-2025-53105)
Vulnerability from nvd – Published: 2025-08-27 14:40 – Updated: 2025-08-27 14:53
VLAI?
Title
GLPI permits unauthorized rules execution order
Summary
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glpi-project | glpi |
Affected:
>= 10.0.0, < 10.0.19
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T14:53:30.061288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T14:53:44.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glpi",
"vendor": "glpi-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.0.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T14:40:36.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-334r-2682-95wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-334r-2682-95wc"
},
{
"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.19"
}
],
"source": {
"advisory": "GHSA-334r-2682-95wc",
"discovery": "UNKNOWN"
},
"title": "GLPI permits unauthorized rules execution order"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53105",
"datePublished": "2025-08-27T14:40:36.061Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-08-27T14:53:44.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}