Description
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
Published: 2026-02-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The flaw is a classic authenticated SQL injection (CWE‑89) affecting GLPI versions 0.85 through 10.0.22. A user who has legitimate credentials can inject arbitrary SQL commands into the application, enabling read, write, or delete operations on the underlying database. This compromises confidentiality of asset data and could provide a foothold for further malicious activity within the organization.

Affected Systems

GLPI, the free asset and IT management platform, is affected from release 0.85 up to but not including 10.0.23. All installations of GLPI in this version range are vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 6.5 indicates medium severity. Because the exploitation requires authentication, the attack surface is limited to users who can log in to the GLPI instance. The EPSS score is less than 1 %, implying a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need valid credentials and possibly access to the application’s source to craft the malicious input.

Generated by OpenCVE AI on April 17, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 10.0.23 or later, which contains the patch for the SQL injection.
  • If an upgrade cannot be performed immediately, restrict or suspend the use of privileged user accounts until the upgrade is completed.
  • Enforce strong password policies and monitor for unusual database activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
Title GLPI is Vulnerable to Authenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:27:43.406Z

Reserved: 2026-01-05T22:30:38.720Z

Link: CVE-2026-22044

cve-icon Vulnrichment

Updated: 2026-02-04T19:27:37.310Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T18:16:08.580

Modified: 2026-02-06T21:19:53.713

Link: CVE-2026-22044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses