Description
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
Published: 2026-03-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection (CWE-89) that can be leveraged by an attacker who already possesses valid GLPI user credentials. By injecting malicious SQL commands, the attacker can modify or read sensitive data stored in GLPI’s database, potentially impacting confidentiality, integrity, and availability of the asset management system. The CVE description notes that the flaw allows arbitrary SQL execution, which may lead to data exfiltration or unauthorized configuration changes.

Affected Systems

The affected product is GLPI from glpi-project. Versions 11.0.0 up to and including 11.0.5 are impacted. The issue is fixed in GLPI 11.0.6. The Common Platform Enumeration indicates the product as cpe:2.3:a:teclib-edition:glpi:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity. EPSS is reported as less than 1%, implying a low estimated current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers need authenticated access to the GLPI instance; an attacker who can obtain or compromise user credentials can exploit the flaw. No remote unauthenticated attack vector is described, so mitigation focuses on preventing credential compromise and applying the patch.

Generated by OpenCVE AI on March 19, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to GLPI 11.0.6 or later (cve-2026-25936 fixed in this or newer releases).
  • If immediate upgrade is not possible, consider disabling or restricting the database privileges of GLPI user accounts to limit SQL execution scope.

Generated by OpenCVE AI on March 19, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Teclib-edition
Teclib-edition glpi
CPEs cpe:2.3:a:teclib-edition:glpi:*:*:*:*:*:*:*:*
Vendors & Products Teclib-edition
Teclib-edition glpi

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Tue, 17 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
Title GLPI Vulnerable to Authenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Glpi-project Glpi
Teclib-edition Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T20:00:30.055Z

Reserved: 2026-02-09T16:22:17.786Z

Link: CVE-2026-25936

cve-icon Vulnrichment

Updated: 2026-03-18T20:00:27.307Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T20:16:13.707

Modified: 2026-03-19T19:30:14.187

Link: CVE-2026-25936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:40Z

Weaknesses