Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Published: 2026-04-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated time‑based blind SQL injection in GLPI search engine
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated time‑based blind SQL injection exists in the search engine of GLPI versions 11.0.0 through 11.0.5. The flaw allows an unauthenticated attacker to inject SQL into search parameters, causing the database to execute an injected query. Successful exploitation can read arbitrary data from the database, thereby compromising confidentiality of assets, users, and configuration information.

Affected Systems

GLPI, a free asset and IT management software package developed by the GLPI Project, is affected. All versions from 11.0.0 up to but not including 11.0.6 are vulnerable. No other vendors or product variants have been reported as impacted.

Risk and Exploitability

The CVSS v3 score of 8.1 indicates a high severity impact. The EPSS score is below 1%, suggesting that active exploitation is unlikely at this time. This vulnerability is not listed in the CISA KEV catalog, further indicating limited live exploitation. The attack vector is most likely the public search interface, requiring no user authentication or elevated privileges. Overall, the risk is high due to the ease of exploitation for any user, but the likelihood of exploitation remains low.

Generated by OpenCVE AI on April 7, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GLPI to version 11.0.6 or later to resolve the SQL injection flaw.

Generated by OpenCVE AI on April 7, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Title GLPI has an Unauthenticated SQL Injection via Search engine
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T03:55:42.069Z

Reserved: 2026-02-12T17:10:53.412Z

Link: CVE-2026-26263

cve-icon Vulnrichment

Updated: 2026-04-06T18:40:23.858Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T15:17:07.430

Modified: 2026-04-07T16:02:38.350

Link: CVE-2026-26263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:49Z

Weaknesses