Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
Published: 2026-04-06
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

GLPI is a widely used asset and IT management platform that suffered a Server‑Side Template Injection vulnerability in templating logic, allowing an authenticated administrator to craft input that is compiled twice by the template engine. The double‑compilation flaw makes it possible to inject arbitrary code, effectively bypassing the web application’s input filtering. This injection is aligned with the Common Weakness Enumeration categories for code injection and template injection.

Affected Systems

The vulnerability exists in GLPI versions between 11.0.0 and just before 11.0.6, inclusive. Users running any of those releases are at risk until the upstream developers push the fix delivered in the 11.0.6 release. The impact is limited to systems where the GLPI installation is accessible to administrators, as an attacker must authenticate with administrative rights to trigger the template injection. The software is available through the GLPI project website and open‑source repositories, so many corporate and public deployments remain affected.

Risk and Exploitability

The flaw received a CVSS score of 9.1, indicating a high severity, yet the EPSS probability is reported as less than 1%, suggesting that exploitation is unlikely in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, further indicating that it has not yet been widely abused by attackers. That said, if an attacker gains admin credentials or otherwise compromises an administrator’s session, the attack vector becomes a straightforward web‑based exploitation and can provide full control of the underlying server.

Generated by OpenCVE AI on April 7, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GLPI to version 11.0.6 or later to resolve the double‑compilation template injection flaw.
  • If an immediate update is not feasible, restrict external access to the GLPI administration interface and enforce strong, separate credentials for administrative accounts.
  • Monitor the application for unexpected template rendering or execution logs, and apply any additional vendor recommendations from the GLPI security advisory.

Generated by OpenCVE AI on April 7, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
Title GLPI has a Server-Side Template Injection via Double-Compilation
Weaknesses CWE-1336
CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T03:55:39.862Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26026

cve-icon Vulnrichment

Updated: 2026-04-06T15:31:16.083Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T15:17:07.093

Modified: 2026-04-07T16:03:34.597

Link: CVE-2026-26026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:51Z

Weaknesses