Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Published: 2026-04-06
Score: 8.1 High
EPSS: 8.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GLPI, a free asset and IT management software package, contains an unauthenticated time‑based blind SQL injection in its search engine for versions 11.0.0 through 11.0.5. The flaw, governed by CWE‑89, allows any unauthenticated visitor to craft a search query that is directly incorporated into an SQL statement, causing the database to execute injected logic and potentially expose arbitrary data. Exfiltration of sensitive asset, user, and configuration information compromises confidentiality and may enable further attacks.

Affected Systems

The vulnerability affects GLPI versions 11.0.0 to 11.0.5, inclusive. No other editions or vendors have affected product besides the GLPI project package available from the official website.

Risk and Exploitability

The CVSS v3 score of 8.1 signals high severity. An EPSS score of 9% indicates that exploitation is moderately likely compared to other CVEs. The vulnerability is not listed in the CISA KEV catalog, meaning no confirmed active exploits in the wild have been reported. The attack requires only unauthenticated access to the public search interface, with no special permissions; the risk is high and the likelihood of exploitation is significant, especially for exposed instances.

Generated by OpenCVE AI on June 24, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 11.0.6 or later to patch the SQL injection flaw.
  • If immediate upgrade is not possible, restrict the search endpoint to authenticated users only or disable to block unauthenticated exploitation.
  • Implement monitoring of application logs for suspicious query patterns, employ rate limiting on search requests, and consider WAF rules to detect and block SQL injection attempts.

Generated by OpenCVE AI on June 24, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Title GLPI has an Unauthenticated SQL Injection via Search engine
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T03:55:42.069Z

Reserved: 2026-02-12T17:10:53.412Z

Link: CVE-2026-26263

cve-icon Vulnrichment

Updated: 2026-04-06T18:40:23.858Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T15:17:07.430

Modified: 2026-06-17T10:26:00.303

Link: CVE-2026-26263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')