Vendor
Glpi Project
Products
2
CVEs
170
Across products
521
Status
Private
Products
2- 520 CVEs
- 1 CVE
Recent CVEs
170| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-11184 | Cri | 0.64 | 9.8 | 0.00 | Jul 28, 2017 | SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | |
| CVE-2017-11474 | Cri | 0.64 | 9.8 | 0.00 | Jul 20, 2017 | GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php. | |
| CVE-2017-11329 | Cri | 0.64 | 9.8 | 0.00 | Jul 17, 2017 | GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers. | |
| CVE-2026-26026 | Cri | 0.59 | 9.1 | 0.00 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6. | |
| CVE-2017-11475 | Hig | 0.57 | 8.8 | 0.00 | Jul 20, 2017 | GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php. | |
| CVE-2026-26263 | Hig | 0.53 | 8.1 | 0.00 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6. | |
| CVE-2016-7507 | Hig | 0.52 | 8.0 | 0.00 | Jul 19, 2017 | Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application. | |
| CVE-2016-7508 | Hig | 0.52 | 7.5 | 0.00 | Jun 21, 2017 | Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding. | |
| CVE-2026-26027 | Hig | 0.49 | 7.5 | 0.00 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6. | |
| CVE-2026-29047 | Hig | 0.47 | 7.2 | 0.00 | Apr 6, 2026 | GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6. | |
| CVE-2026-25932 | Hig | 0.47 | 7.2 | 0.00 | Apr 6, 2026 | GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24. | |
| CVE-2025-32786 | Hig | 0.42 | 7.5 | 0.00 | Nov 4, 2025 | The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1. | |
| CVE-2025-53105 | Hig | 0.42 | 7.5 | 0.00 | Aug 27, 2025 | GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19. | |
| CVE-2016-7509 | Med | 0.35 | 5.4 | 0.00 | Jul 19, 2017 | Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket. | |
| CVE-2017-11183 | Med | 0.32 | 4.9 | 0.00 | Jul 28, 2017 | front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter. | |
| CVE-2013-5696 | 0.08 | — | 0.64 | Sep 23, 2013 | inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action. | ||
| CVE-2024-29889 | 0.06 | — | 0.69 | May 7, 2024 | GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15. | ||
| CVE-2025-24799 | 0.05 | — | 0.29 | Mar 18, 2025 | GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18. | ||
| CVE-2020-11034 | 0.05 | — | 0.59 | May 5, 2020 | In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6. | ||
| CVE-2022-31061 | 0.04 | — | 0.46 | Jun 28, 2022 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. |