Description
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.
Published: 2026-03-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The GLPI Inventory Plugin allows users to view network inventories and generate reports. Prior to version 1.6.6, unsanitized input from a user‑controlled dropdown in the calendar report can be exploited for an SQL injection. An attacker with sufficient rights could execute arbitrary SQL commands against the underlying database, potentially reading, modifying, or deleting inventory data and compromising the confidentiality and integrity of the system. The vulnerability does not provide a direct code‑execution path but can be used to subvert data integrity.

Affected Systems

This flaw affects the GLPI Inventory Plugin, used with GLPI for asset management. Versions prior to 1.6.6 are vulnerable; upgrade to 1.6.6 or newer to eliminate the issue.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact, and an EPSS score below 1 % suggests a low likelihood of widespread exploitation, consistent with the absence from the KEV catalog. The attack requires an authenticated user with report‑generation privileges who can supply crafted input to the dropdown. When these conditions are met, the injection can be executed; the exploit path is straightforward through the web interface.

Generated by OpenCVE AI on March 23, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GLPI Inventory Plugin to version 1.6.6 or later.

Generated by OpenCVE AI on March 23, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi_inventory:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi Inventory
Vendors & Products Glpi-project
Glpi-project glpi Inventory

Tue, 17 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.
Title GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Glpi-project Glpi Inventory
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T20:16:53.878Z

Reserved: 2026-02-09T17:41:55.859Z

Link: CVE-2026-26001

cve-icon Vulnrichment

Updated: 2026-03-18T20:16:48.402Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T00:16:18.770

Modified: 2026-03-23T18:14:43.043

Link: CVE-2026-26001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:23Z

Weaknesses