Description
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.
Published: 2026-03-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

GLPI is an open‑source asset and IT management platform that offers ITIL Service Desk features and software licensing tracking. Between versions 11.0.0 and 11.0.4, an authenticated technician with user privileges can upload a specially crafted file and trigger its execution via unsafe PHP instantiation. This flaw allows attackers to run arbitrary code on the server, compromising confidentiality, integrity and availability, and is classified as CWE‑502 (Serialization Issues).

Affected Systems

The vulnerability exists in the glpi product from the glpi‑project (CPE: cpe:2.3:a:teclib-edition:glpi:*:*:*:*:*:*:*:*). Affected software versions range from 11.0.0 up to but excluding 11.0.5; versions 11.0.5 and later contain the fix.

Risk and Exploitability

The CVSS assessment assigns a score of 8.1, indicating high severity. The EPSS score is below 1 %, suggesting a low current exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to have authenticated access as a technician, but once that is achieved, remote code execution can be performed. Administrators should treat this as a critical issue and ensure the software is updated promptly.

Generated by OpenCVE AI on March 20, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 11.0.5 or later to apply the vendor fix.
  • If an immediate upgrade is not possible, restrict file upload capabilities for technician accounts and monitor uploads for suspicious content.

Generated by OpenCVE AI on March 20, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Teclib-edition
Teclib-edition glpi
CPEs cpe:2.3:a:teclib-edition:glpi:*:*:*:*:*:*:*:*
Vendors & Products Teclib-edition
Teclib-edition glpi

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.
Title GLPI affected by Remote Code Execution via malicious upload
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
Teclib-edition Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T03:55:34.194Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22248

cve-icon Vulnrichment

Updated: 2026-03-11T17:24:20.375Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:24.103

Modified: 2026-03-20T14:29:50.413

Link: CVE-2026-22248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:31Z

Weaknesses