Glpi
by Glpi Project
Source repositories
CVEs (201)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-9258 | 0.03 | — | 0.03 | Dec 19, 2014 | SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter. | |||
| CVE-2013-2226 | 0.03 | — | 0.03 | May 14, 2014 | Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to… | |||
| CVE-2024-50339 | 0.02 | — | 0.20 | Dec 11, 2024 | GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue. | |||
| CVE-2024-27937 | 0.02 | — | 0.27 | Mar 18, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13. | |||
| CVE-2023-43813 | 0.02 | — | 0.31 | Dec 13, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue. | |||
| CVE-2019-10232 | 0.02 | — | 0.23 | Mar 27, 2019 | Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php. | |||
| CVE-2024-37149 | 0.01 | — | 0.21 | Jul 10, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script.… | |||
| CVE-2024-37147 | 0.01 | — | 0.01 | Jul 10, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16. | |||
| CVE-2023-41320 | 0.01 | — | 0.32 | Sep 26, 2023 | GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This… | |||
| CVE-2023-36808 | 0.01 | — | 0.45 | Jul 5, 2023 | GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one… | |||
| CVE-2023-35924 | 0.01 | — | 0.49 | Jul 5, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for… | |||
| CVE-2026-25937 | 0.00 | — | 0.00 | Mar 17, 2026 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue. | |||
| CVE-2026-25936 | 0.00 | — | 0.00 | Mar 17, 2026 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue. | |||
| CVE-2026-22248 | 0.00 | — | 0.00 | Mar 11, 2026 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an… | |||
| CVE-2026-22044 | 0.00 | — | 0.00 | Feb 4, 2026 | GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. | |||
| CVE-2026-23624 | 0.00 | — | 0.00 | Feb 4, 2026 | GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This… | |||
| CVE-2026-22247 | 0.00 | — | 0.00 | Feb 4, 2026 | GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5. | |||
| CVE-2025-66417 | 0.00 | — | 0.00 | Jan 15, 2026 | GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. | |||
| CVE-2025-64516 | 0.00 | — | 0.00 | Jan 15, 2026 | GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This… | |||
| CVE-2023-53943 | 0.00 | — | 0.00 | Dec 18, 2025 | GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response… |
- CVE-2014-9258Dec 19, 2014risk 0.03cvss —epss 0.03
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
- CVE-2013-2226May 14, 2014risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to…
- CVE-2024-50339Dec 11, 2024risk 0.02cvss —epss 0.20
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
- CVE-2024-27937Mar 18, 2024risk 0.02cvss —epss 0.27
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.
- CVE-2023-43813Dec 13, 2023risk 0.02cvss —epss 0.31
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.
- CVE-2019-10232Mar 27, 2019risk 0.02cvss —epss 0.23
Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php.
- CVE-2024-37149Jul 10, 2024risk 0.01cvss —epss 0.21
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script.…
- CVE-2024-37147Jul 10, 2024risk 0.01cvss —epss 0.01
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.
- CVE-2023-41320Sep 26, 2023risk 0.01cvss —epss 0.32
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This…
- CVE-2023-36808Jul 5, 2023risk 0.01cvss —epss 0.45
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one…
- CVE-2023-35924Jul 5, 2023risk 0.01cvss —epss 0.49
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for…
- CVE-2026-25937Mar 17, 2026risk 0.00cvss —epss 0.00
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.
- CVE-2026-25936Mar 17, 2026risk 0.00cvss —epss 0.00
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
- CVE-2026-22248Mar 11, 2026risk 0.00cvss —epss 0.00
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an…
- CVE-2026-22044Feb 4, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
- CVE-2026-23624Feb 4, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This…
- CVE-2026-22247Feb 4, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
- CVE-2025-66417Jan 15, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
- CVE-2025-64516Jan 15, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This…
- CVE-2023-53943Dec 18, 2025risk 0.00cvss —epss 0.00
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response…
Page 3 of 11