Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Published: 2026-04-06
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Unauthorized data access
Action: Immediate Patch
AI Analysis

Impact

GLPI versions 11.0.0 through 11.0.5 contain an unauthenticated, time‑based blind SQL injection in the search engine. The flaw allows an attacker to craft SQL queries that cause delays based on query results, enabling extraction of database contents without authentication. This vulnerability can lead to disclosure of sensitive asset and IT management data, compromising confidentiality of the system.

Affected Systems

The vulnerability affects installations of GLPI from the glpi‑project, specifically all releases from version 11.0.0 up to, but not including, 11.0.6. Any other version is not impacted.

Risk and Exploitability

The CVSS score of 8.1 identifies the issue as high severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, so no confirmed exploitation is known. The attack can be performed over the network via the search engine endpoint without authentication, making it accessible to external adversaries. Without a patch, an attacker could use the time‑based responses to enumerate database tables and columns, potentially revealing confidential information.

Generated by OpenCVE AI on April 6, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 11.0.6 or later

Generated by OpenCVE AI on April 6, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Title GLPI has an Unauthenticated SQL Injection via Search engine
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:40:28.428Z

Reserved: 2026-02-12T17:10:53.412Z

Link: CVE-2026-26263

cve-icon Vulnrichment

Updated: 2026-04-06T18:40:23.858Z

cve-icon NVD

Status : Received

Published: 2026-04-06T15:17:07.430

Modified: 2026-04-06T15:17:07.430

Link: CVE-2026-26263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:40Z

Weaknesses