Description
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Published: 2026-04-06
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: Data Compromise
Action: Apply Patch
AI Analysis

Impact

A vulnerable version of GLPI allows an authenticated user to inject arbitrary SQL statements through the logs export interface. The flaw is a classic injection point (CWE-89), which could enable the modification or extraction of database contents and potentially disrupt the integrity of asset data. The vulnerability can be triggered by any user who has legitimate login credentials and access to the logs export feature.

Affected Systems

GLPI versions 10.0.0 up to but not including 10.0.24, and 11.0.0 up to but not including 11.0.6 are susceptible. Upgrading to 10.0.24 or 11.0.6 mitigates the issue.

Risk and Exploitability

With a CVSS score of 7.2, this flaw is considered high severity. Exploitation requires an authenticated session, so an attacker must first compromise an account or gain legitimate access. The public exploit probability (EPSS) is currently not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the possibility of database compromise warrants swift attention.

Generated by OpenCVE AI on April 6, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GLPI patch (v10.0.24 or v11.0.6) to remove the vulnerable code.
  • If immediate patching is not feasible, disable or limit the logs export feature to trusted administrators only.
  • Continuously monitor activity logs for suspicious export attempts and conduct regular database integrity checks.

Generated by OpenCVE AI on April 6, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Title GLPI has an Authenticated SQL Injection via log exports
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T14:39:15.996Z

Reserved: 2026-03-03T17:50:11.243Z

Link: CVE-2026-29047

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-06T15:17:07.590

Modified: 2026-04-06T15:17:07.590

Link: CVE-2026-29047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:39Z

Weaknesses