VYPR
← All advisories
High severityNVD Advisory· Published Jun 3, 2026

CVE-2026-42317

CVE-2026-42317

Description

GLPI versions prior to 10.0.25 and 11.0.7 allow technicians to delete arbitrary files if the webserver has write permissions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GLPI versions prior to 10.0.25 and 11.0.7 allow technicians to delete arbitrary files if the webserver has write permissions.

Vulnerability

GLPI versions starting from 0.78 and prior to 10.0.25 and 11.0.7 are vulnerable to arbitrary file deletion. This vulnerability can be exploited by a technician user if the webserver process has write permissions on the target files [1].

Exploitation

An authenticated technician user can exploit this vulnerability by initiating a file deletion process. The success of the exploit depends on the webserver's write permissions to the filesystem, allowing the technician to delete files outside of the intended GLPI application scope [1].

Impact

Successful exploitation allows a technician user to delete arbitrary files from the filesystem. This can lead to data loss, system instability, or denial of service, depending on the files targeted for deletion [1].

Mitigation

Upgrade to GLPI version 10.0.25 or 11.0.7 to receive the patch. These versions address the arbitrary file deletion vulnerability [1].

References
  1. Arbitrary files deletion by technician

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Glpi Project/Glpiinferred2 versions
    >=10.0.25,<11.0.7+ 1 more
    • (no CPE)range: >=10.0.25,<11.0.7
    • (no CPE)range: >=0.78, <10.0.25 and <11.0.7

Patches

2
3389dbf83623

Merge commit from fork

https://github.com/glpi-project/glpiCédric AnneApr 29, 2026Fixed in 10.0.25via llm-release-walk
commit
1 file changed · +1 1
  • src/Lock.php+1 1 modified
    @@ -284,7 +284,7 @@ public static function showForItem(CommonDBTM $item)
                     if ($default_items_id !== null && is_a($row['itemtype'], CommonDBRelation::class, true)) {
                         $related_object = new $default_itemtype();
                         $related_object->getFromDB($object->fields[$default_items_id]);
-                        $default_object_link = "<a href='" . $object->getLinkURL() . "'" . $related_object->getName() . ">" . $related_object->getName() . "</a>";
+                        $default_object_link = "<a href='" . $object->getLinkURL() . "'>" . $related_object->getName() . "</a>";
                     }
 
                     echo "<td class='left'>" . $default_itemtype_label . "</td>";
0ea900cb51a3

Bump version

https://github.com/glpi-project/glpiJohan CwiklinskiApr 29, 2026Fixed in 11.0.7via release-tag
commit
1 file changed · +1 1
  • src/autoload/constants.php+1 1 modified
    @@ -40,7 +40,7 @@
 define('GLPI_ROOT', dirname(__DIR__, 2));
 
 // Current version of GLPI
-define('GLPI_VERSION', '11.0.7-dev');
+define('GLPI_VERSION', '11.0.7');
 
 $schema_file = sprintf('%s/install/mysql/glpi-empty.sql', GLPI_ROOT);
 define(

Vulnerability mechanics

Root cause

"The application allows a technician to delete arbitrary files if the webserver has write permissions on them."

Attack vector

A technician user can exploit this vulnerability by initiating a file deletion operation. The vulnerability is triggered when the application does not properly validate the target file path before attempting to delete it. This allows for the deletion of any file that the webserver process has write access to. The advisory does not specify the exact API endpoint or user interface element used to trigger the deletion.

Affected code

The vulnerability is related to file deletion functionality, specifically within the `Lock.php` file. The provided patch modifies how links are generated for default items, suggesting that the issue lies in how file paths or references are handled during operations that could lead to deletion [patch_id=4683556].

What the fix does

The patch modifies the `Lock.php` file to correctly escape the URL for the default object link. This change prevents the application from misinterpreting file paths during deletion operations. By ensuring proper URL handling, the vulnerability that allowed arbitrary file deletion is mitigated. The fix is included in versions 10.0.25 and 11.0.7 [patch_id=4683556].

Preconditions

  • authThe attacker must be authenticated as a technician user.
  • configThe webserver process must have write permissions on the target files.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.