Glpi
by Glpi Project
Source repositories
CVEs (201)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-31705 | Cri | 0.64 | 9.8 | 0.02 | Apr 29, 2024 | An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. | ||
| CVE-2017-11184 | Cri | 0.64 | 9.8 | 0.02 | Jul 28, 2017 | SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | ||
| CVE-2017-11474 | Cri | 0.64 | 9.8 | 0.01 | Jul 20, 2017 | GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php. | ||
| CVE-2017-11329 | Cri | 0.64 | 9.8 | 0.01 | Jul 17, 2017 | GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers. | ||
| CVE-2018-13049 | Hig | 0.57 | 8.8 | 0.01 | Jul 2, 2018 | The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php. | ||
| CVE-2017-11475 | Hig | 0.57 | 8.8 | 0.01 | Jul 20, 2017 | GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php. | ||
| CVE-2026-26026 | Cri | 0.52 | 9.1 | 0.00 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6. | ||
| CVE-2016-7507 | Hig | 0.52 | 8.0 | 0.00 | Jul 19, 2017 | Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application. | ||
| CVE-2016-7508 | Hig | 0.52 | 7.5 | 0.02 | Jun 21, 2017 | Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding. | ||
| CVE-2026-42321 | Hig | 0.48 | — | 0.00 | Jun 3, 2026 | GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch. | ||
| CVE-2026-5385 | Hig | 0.48 | — | 0.00 | Jun 2, 2026 | An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7. | ||
| CVE-2026-40108 | Hig | 0.46 | — | 0.00 | Jun 2, 2026 | GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7. | ||
| CVE-2026-26263 | Hig | 0.46 | 8.1 | 0.09 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6. | ||
| CVE-2026-26027 | Hig | 0.42 | 7.5 | 0.00 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6. | ||
| CVE-2025-53105 | Hig | 0.42 | 7.5 | 0.00 | Aug 27, 2025 | GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration… | ||
| CVE-2026-29047 | Hig | 0.40 | 7.2 | 0.00 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6. | ||
| CVE-2026-25932 | Hig | 0.40 | 7.2 | 0.00 | Apr 6, 2026 | GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24. | ||
| CVE-2026-44281 | Hig | 0.39 | — | 0.00 | Jun 3, 2026 | GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch. | ||
| CVE-2026-42318 | Hig | 0.39 | — | 0.00 | Jun 3, 2026 | GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable… | ||
| CVE-2026-42317 | Hig | 0.39 | — | 0.00 | Jun 3, 2026 | GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a… |
- risk 0.64cvss 9.8epss 0.02
An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.
- risk 0.64cvss 9.8epss 0.02
SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.
- risk 0.64cvss 9.8epss 0.01
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
- risk 0.64cvss 9.8epss 0.01
GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.
- risk 0.57cvss 8.8epss 0.01
The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php.
- risk 0.57cvss 8.8epss 0.01
GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.
- risk 0.52cvss 9.1epss 0.00
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
- risk 0.52cvss 8.0epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.
- risk 0.52cvss 7.5epss 0.02
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
- risk 0.48cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
- risk 0.48cvss —epss 0.00
An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7.
- risk 0.46cvss —epss 0.00
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.
- risk 0.46cvss 8.1epss 0.09
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
- risk 0.42cvss 7.5epss 0.00
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
- risk 0.42cvss 7.5epss 0.00
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration…
- risk 0.40cvss 7.2epss 0.00
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
- risk 0.40cvss 7.2epss 0.00
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
- risk 0.39cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.
- risk 0.39cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable…
- risk 0.39cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a…
Page 1 of 11