What is the CVSS score of CVE-2025-64516?

CVE-2025-64516 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Glpi are affected by CVE-2025-64516?

Organizations using GLPI face notable risk from CVE-2025-64516, a improper access control vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2025-64516?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Glpi CVE-2025-64516

HIGH

Improper Access Control (CWE-284)

2026-01-15 security-advisories@github.com

Authentication Bypass Glpi

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Jan 21, 2026 - 20:53 nvd

Patch available

CVE Published

Jan 15, 2026 - 16:16 nvd

HIGH 7.5

DescriptionGitHub Advisory

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.

AnalysisAI

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]

Technical ContextAI

Classified as CWE-284 (Improper Access Control). Affects Glpi. GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 10.0.21. Restrict network access to the affected service where possible.

CVE-2025-64516 vulnerability details – vuln.today

Back

Glpi CVE-2025-64516

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code