Skip to main content

Glpi CVE-2026-25936

| EUVD-2026-12627 MEDIUM
SQL Injection (CWE-89)
2026-03-17 GitHub_M
SQLi Glpi
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
11.0.6
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12627
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 19:41 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.

AnalysisAI

GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates a network-accessible vulnerability with low attack complexity that requires low privileges (authenticated user) and no user interaction, yielding high confidentiality impact but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated GLPI user with legitimate access to the system—such as a help desk technician or IT staff member—crafts a malicious search query or report filter that injects SQL code into a vulnerable parameter. The injected SQL statement executes with the GLPI application's database privileges, allowing the attacker to extract sensitive data such as user credentials, hardware inventory details, encrypted configuration values, or other confidential records stored in the database. …
Remediation Immediately upgrade GLPI to version 11.0.6 or later by following the vendor's official upgrade documentation at https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems running version 11.0.0 and and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25936 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy