Vendor CVEs
Glpi Project
All CVEs
219 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-50339 | 0.02 | — | 0.20 | Dec 11, 2024 | GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue. | |||
| CVE-2024-27937 | 0.02 | — | 0.27 | Mar 18, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13. | |||
| CVE-2023-43813 | 0.02 | — | 0.31 | Dec 13, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue. | |||
| CVE-2019-10232 | 0.02 | — | 0.23 | Mar 27, 2019 | Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php. | |||
| CVE-2024-37149 | 0.01 | — | 0.21 | Jul 10, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script.… | |||
| CVE-2024-37147 | 0.01 | — | 0.01 | Jul 10, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16. | |||
| CVE-2023-41320 | 0.01 | — | 0.32 | Sep 26, 2023 | GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This… | |||
| CVE-2023-36808 | 0.01 | — | 0.45 | Jul 5, 2023 | GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one… | |||
| CVE-2023-35924 | 0.01 | — | 0.49 | Jul 5, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for… | |||
| CVE-2021-43779 | 0.01 | — | 0.09 | Jan 5, 2022 | GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command… | |||
| CVE-2026-26001 | 0.00 | — | 0.00 | Mar 17, 2026 | The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6. | |||
| CVE-2026-25937 | 0.00 | — | 0.00 | Mar 17, 2026 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue. | |||
| CVE-2026-25936 | 0.00 | — | 0.00 | Mar 17, 2026 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue. | |||
| CVE-2026-22248 | 0.00 | — | 0.00 | Mar 11, 2026 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an… | |||
| CVE-2026-25590 | 0.00 | — | 0.00 | Mar 3, 2026 | The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6. | |||
| CVE-2026-22044 | 0.00 | — | 0.00 | Feb 4, 2026 | GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. | |||
| CVE-2026-23624 | 0.00 | — | 0.00 | Feb 4, 2026 | GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This… | |||
| CVE-2026-22247 | 0.00 | — | 0.00 | Feb 4, 2026 | GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5. | |||
| CVE-2025-66417 | 0.00 | — | 0.00 | Jan 15, 2026 | GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. | |||
| CVE-2025-64516 | 0.00 | — | 0.00 | Jan 15, 2026 | GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This… | |||
| CVE-2023-53943 | 0.00 | — | 0.00 | Dec 18, 2025 | GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response… | |||
| CVE-2025-64520 | 0.00 | — | 0.00 | Dec 16, 2025 | GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch. | |||
| CVE-2025-59935 | 0.00 | — | 0.00 | Dec 16, 2025 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch. | |||
| CVE-2025-53357 | 0.00 | — | 0.00 | Jul 30, 2025 | GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of… | |||
| CVE-2025-53113 | 0.00 | — | 0.00 | Jul 30, 2025 | GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links… | |||
| CVE-2025-53112 | 0.00 | — | 0.00 | Jul 30, 2025 | GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed… | |||
| CVE-2025-53111 | 0.00 | — | 0.00 | Jul 30, 2025 | GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19. | |||
| CVE-2025-53008 | 0.00 | — | 0.00 | Jul 30, 2025 | GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal… | |||
| CVE-2025-52897 | 0.00 | — | 0.00 | Jul 30, 2025 | GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19. | |||
| CVE-2025-52567 | 0.00 | — | 0.00 | Jul 30, 2025 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security… | |||
| CVE-2025-27514 | 0.00 | — | 0.00 | Jul 29, 2025 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed… | |||
| CVE-2025-24801 | 0.00 | — | 0.17 | Mar 18, 2025 | GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18. | |||
| CVE-2025-21619 | 0.00 | — | 0.00 | Mar 18, 2025 | GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18. | |||
| CVE-2025-25192 | 0.00 | — | 0.01 | Feb 25, 2025 | GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file. | |||
| CVE-2025-23046 | 0.00 | — | 0.00 | Feb 25, 2025 | GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on… | |||
| CVE-2025-23024 | 0.00 | — | 0.00 | Feb 25, 2025 | GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file. | |||
| CVE-2025-21627 | 0.00 | — | 0.00 | Feb 25, 2025 | GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user.… | |||
| CVE-2025-21626 | 0.00 | — | 0.00 | Feb 25, 2025 | GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may… | |||
| CVE-2024-11955 | 0.00 | — | 0.00 | Feb 25, 2025 | A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The… | |||
| CVE-2024-48912 | 0.00 | — | 0.00 | Dec 11, 2024 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue. | |||
| CVE-2024-47761 | 0.00 | — | 0.01 | Dec 11, 2024 | GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue. | |||
| CVE-2024-47760 | 0.00 | — | 0.00 | Dec 11, 2024 | GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue. | |||
| CVE-2024-47758 | 0.00 | — | 0.00 | Dec 11, 2024 | GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue. | |||
| CVE-2024-43416 | 0.00 | — | 0.01 | Nov 18, 2024 | GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue. | |||
| CVE-2024-38370 | 0.00 | — | 0.00 | Nov 15, 2024 | GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16. | |||
| CVE-2024-45611 | 0.00 | — | 0.00 | Nov 15, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a… | |||
| CVE-2024-45610 | 0.00 | — | 0.00 | Nov 15, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located… | |||
| CVE-2024-45609 | 0.00 | — | 0.00 | Nov 15, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the… | |||
| CVE-2024-45608 | 0.00 | — | 0.01 | Nov 15, 2024 | GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17. | |||
| CVE-2024-43418 | 0.00 | — | 0.00 | Nov 15, 2024 | GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17. |
- CVE-2024-50339Dec 11, 2024risk 0.02cvss —epss 0.20
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
- CVE-2024-27937Mar 18, 2024risk 0.02cvss —epss 0.27
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.
- CVE-2023-43813Dec 13, 2023risk 0.02cvss —epss 0.31
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.
- CVE-2019-10232Mar 27, 2019risk 0.02cvss —epss 0.23
Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php.
- CVE-2024-37149Jul 10, 2024risk 0.01cvss —epss 0.21
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script.…
- CVE-2024-37147Jul 10, 2024risk 0.01cvss —epss 0.01
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.
- CVE-2023-41320Sep 26, 2023risk 0.01cvss —epss 0.32
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This…
- CVE-2023-36808Jul 5, 2023risk 0.01cvss —epss 0.45
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one…
- CVE-2023-35924Jul 5, 2023risk 0.01cvss —epss 0.49
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for…
- CVE-2021-43779Jan 5, 2022risk 0.01cvss —epss 0.09
GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command…
- CVE-2026-26001Mar 17, 2026risk 0.00cvss —epss 0.00
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.
- CVE-2026-25937Mar 17, 2026risk 0.00cvss —epss 0.00
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.
- CVE-2026-25936Mar 17, 2026risk 0.00cvss —epss 0.00
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
- CVE-2026-22248Mar 11, 2026risk 0.00cvss —epss 0.00
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an…
- CVE-2026-25590Mar 3, 2026risk 0.00cvss —epss 0.00
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.
- CVE-2026-22044Feb 4, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
- CVE-2026-23624Feb 4, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This…
- CVE-2026-22247Feb 4, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
- CVE-2025-66417Jan 15, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
- CVE-2025-64516Jan 15, 2026risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This…
- CVE-2023-53943Dec 18, 2025risk 0.00cvss —epss 0.00
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response…
- CVE-2025-64520Dec 16, 2025risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
- CVE-2025-59935Dec 16, 2025risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
- CVE-2025-53357Jul 30, 2025risk 0.00cvss —epss 0.00
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of…
- CVE-2025-53113Jul 30, 2025risk 0.00cvss —epss 0.00
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links…
- CVE-2025-53112Jul 30, 2025risk 0.00cvss —epss 0.00
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed…
- CVE-2025-53111Jul 30, 2025risk 0.00cvss —epss 0.00
GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.
- CVE-2025-53008Jul 30, 2025risk 0.00cvss —epss 0.00
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal…
- CVE-2025-52897Jul 30, 2025risk 0.00cvss —epss 0.00
GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19.
- CVE-2025-52567Jul 30, 2025risk 0.00cvss —epss 0.00
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security…
- CVE-2025-27514Jul 29, 2025risk 0.00cvss —epss 0.00
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed…
- CVE-2025-24801Mar 18, 2025risk 0.00cvss —epss 0.17
GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
- CVE-2025-21619Mar 18, 2025risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.
- CVE-2025-25192Feb 25, 2025risk 0.00cvss —epss 0.01
GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
- CVE-2025-23046Feb 25, 2025risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on…
- CVE-2025-23024Feb 25, 2025risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
- CVE-2025-21627Feb 25, 2025risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user.…
- CVE-2025-21626Feb 25, 2025risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may…
- CVE-2024-11955Feb 25, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The…
- CVE-2024-48912Dec 11, 2024risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.
- CVE-2024-47761Dec 11, 2024risk 0.00cvss —epss 0.01
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
- CVE-2024-47760Dec 11, 2024risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
- CVE-2024-47758Dec 11, 2024risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.
- CVE-2024-43416Nov 18, 2024risk 0.00cvss —epss 0.01
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.
- CVE-2024-38370Nov 15, 2024risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.
- CVE-2024-45611Nov 15, 2024risk 0.00cvss —epss 0.00
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a…
- CVE-2024-45610Nov 15, 2024risk 0.00cvss —epss 0.00
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located…
- CVE-2024-45609Nov 15, 2024risk 0.00cvss —epss 0.00
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the…
- CVE-2024-45608Nov 15, 2024risk 0.00cvss —epss 0.01
GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.
- CVE-2024-43418Nov 15, 2024risk 0.00cvss —epss 0.00
GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
Page 2 of 5