Description
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Published: 2026-04-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL injection via logs export
Action: Patch
AI Analysis

Impact

An SQL injection flaw exists in the logs export function of GLPI. An authenticated user can supply crafted input that is incorporated into an SQL statement, allowing arbitrary queries or modifications against the database. This can lead to disclosure of sensitive data, alteration of records, or deletion of entries, compromising confidentiality, integrity, and potentially availability of the system.

Affected Systems

GLPI versions 10.0.0 through 10.0.23 and all 11.x releases prior to 11.0.6 are affected. The vulnerability was fixed in 10.0.24 and 11.0.6 and later versions of GLPI.

Risk and Exploitability

The CVSS v3.1 score is 7.2, indicating high severity. The EPSS score is below 1%, implying a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated web session and use of the logs export operation, after which an attacker can inject malicious SQL statements.

Generated by OpenCVE AI on April 7, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 10.0.24 or newer, or to version 11.0.6 or newer
  • If an upgrade is not immediately possible, restrict the logs export feature to users with the minimum required permissions

Generated by OpenCVE AI on April 7, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Title GLPI has an Authenticated SQL Injection via log exports
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:06:57.659Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29047

cve-icon Vulnrichment

Updated: 2026-04-07T13:06:54.803Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T15:17:07.590

Modified: 2026-04-07T16:02:15.277

Link: CVE-2026-29047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:48Z

Weaknesses