What is the CVSS score of CVE-2025-24799?

CVE-2025-24799 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 55.1%.

Which versions of Glpi are affected by CVE-2025-24799?

Organizations using GLPI face notable risk from CVE-2025-24799, a SQL injection vulnerability rated CVSS 7.5.

Is there a public PoC exploit available for CVE-2025-24799?

Yes, a public proof-of-concept exploit is available for CVE-2025-24799. Prioritise patching immediately. EPSS: 55.1%.

How to fix or mitigate CVE-2025-24799?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Glpi CVE-2025-24799

HIGH

SQL Injection (CWE-89)

2025-03-18 security-advisories@github.com

SQLi Glpi

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

CVE Published

Mar 18, 2025 - 19:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

AnalysisAI

GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers can extract the entire GLPI database including asset inventories, user credentials, helpdesk tickets, and IT infrastructure documentation without any authentication.

Technical ContextAI

The inventory API endpoint processes incoming inventory data without proper SQL parameterization. An unauthenticated attacker can inject SQL through inventory submission parameters, extracting data from the GLPI database. This endpoint is typically exposed to allow automated inventory agents to submit data.

RemediationAI

Update to GLPI 10.0.18. Restrict inventory endpoint access to known agent IP ranges. Implement network segmentation for GLPI. Rotate all user passwords if exploitation is suspected.

CVE-2025-24799 vulnerability details – vuln.today

Back

Glpi CVE-2025-24799

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code