Glpi Inventory Plugin
CVE-2026-26001
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.
AnalysisAI
SQL injection in GLPI Inventory Plugin versions before 1.6.6 allows authenticated users with sufficient privileges to execute arbitrary SQL queries through unvalidated input in report functionality. An attacker with report access can extract or modify sensitive database information, though code execution is not possible through this vector. A patch is available in version 1.6.6 and later.
Technical ContextAI
The GLPI Inventory Plugin is a network discovery, inventory management, and software deployment component for GLPI (Gestionnaire Libre de Parc Informatique), an open-source IT asset management solution. According to CPE data (cpe:2.3:a:glpi-project:glpi-inventory-plugin), the affected product is maintained by the GLPI Project. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a classic injection flaw where untrusted data is incorporated into SQL queries without proper validation or parameterization. The vulnerability specifically manifests in the reports functionality, where user-supplied input is passed directly to database queries, allowing attackers to manipulate SQL syntax and alter query logic.
RemediationAI
Upgrade the GLPI Inventory Plugin to version 1.6.6 or later, which contains fixes for the SQL injection vulnerability as documented in the GitHub Security Advisory at https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx. Organizations should prioritize this update for all GLPI installations using the inventory plugin. Until patching is completed, consider implementing compensating controls such as restricting access to the reports functionality through role-based access controls, limiting privileges for users who do not require report generation capabilities, and monitoring database query logs for suspicious SQL patterns or anomalous data access attempts. Review and audit user accounts with access to reporting features to ensure principle of least privilege.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today