VYPR
Vendor

Glpi Project

Products
10
CVEs
219
Across products
220
Status
Private

Products

10

Recent CVEs

219
View all 219 CVEs →
  • CVE-2024-31705CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.02

    An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.

  • CVE-2017-11184CriJul 28, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.

  • CVE-2017-11474CriJul 20, 2017
    risk 0.64cvss 9.8epss 0.01

    GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.

  • CVE-2017-11329CriJul 17, 2017
    risk 0.64cvss 9.8epss 0.01

    GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.

  • CVE-2018-13049HigJul 2, 2018
    risk 0.57cvss 8.8epss 0.01

    The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php.

  • CVE-2017-11475HigJul 20, 2017
    risk 0.57cvss 8.8epss 0.01

    GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.

  • CVE-2026-26026CriApr 6, 2026
    risk 0.52cvss 9.1epss 0.00

    GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

  • CVE-2016-7507HigJul 19, 2017
    risk 0.52cvss 8.0epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.

  • CVE-2016-7508HigJun 21, 2017
    risk 0.52cvss 7.5epss 0.02

    Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.

  • CVE-2026-42321HigJun 3, 2026
    risk 0.48cvss epss 0.00

    GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

  • CVE-2026-5385HigJun 2, 2026
    risk 0.48cvss epss 0.00

    An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7.

  • CVE-2026-40108HigJun 2, 2026
    risk 0.46cvss epss 0.00

    GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.

  • CVE-2026-26263HigApr 6, 2026
    risk 0.46cvss 8.1epss 0.09

    GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.

  • CVE-2025-27147HigMar 25, 2025
    risk 0.46cvss 8.2epss 0.00

    The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access…

  • CVE-2024-53850HigDec 26, 2024
    risk 0.46cvss 8.2epss 0.01

    The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.

  • CVE-2026-26027HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

  • CVE-2025-32786HigNov 4, 2025
    risk 0.42cvss 7.5epss 0.06

    The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1.

  • CVE-2025-53105HigAug 27, 2025
    risk 0.42cvss 7.5epss 0.00

    GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration…

  • CVE-2026-29047HigApr 6, 2026
    risk 0.40cvss 7.2epss 0.00

    GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.

  • CVE-2026-25932HigApr 6, 2026
    risk 0.40cvss 7.2epss 0.00

    GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.