What is the CVSS score of CVE-2026-25937?

CVE-2026-25937 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Glpi are affected by CVE-2026-25937?

Organizations using version 11.0.0 and should be aware of notable risk from CVE-2026-25937, a improper authentication vulnerability rated CVSS 6.5.

Glpi CVE-2026-25937

MEDIUM

Improper Authentication (CWE-287)

2026-03-17 GitHub_M

Authentication Bypass Glpi

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 23:30 vuln.today

CVE Published

Mar 17, 2026 - 23:16 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

AnalysisAI

GLPI versions 11.0.0 through 11.0.5 contain an authentication bypass vulnerability that allows an attacker with knowledge of a user's credentials to circumvent multi-factor authentication (MFA) and gain unauthorized account access. This vulnerability affects the GLPI asset and IT management software and is classified as CWE-287 (Improper Authentication), with a CVSS score of 6.5 indicating medium severity. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) presents a nuanced risk picture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker obtains a GLPI user's credentials through credential stuffing, phishing, or password spray attacks. The attacker navigates to the GLPI login portal and enters the harvested credentials. …
Remediation	Upgrade GLPI to version 11.0.6 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running version 11.0.0 and and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25937 vulnerability details – vuln.today

Back

Glpi CVE-2026-25937

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code