Skip to main content

Glpi Inventory Plugin CVE-2026-26001

HIGH
SQL Injection (CWE-89)
2026-03-17 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 23:30 vuln.today
CVE Published
Mar 17, 2026 - 23:18 nvd
HIGH 7.1

DescriptionGitHub Advisory

The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.

AnalysisAI

SQL injection in GLPI Inventory Plugin versions before 1.6.6 allows authenticated users with sufficient privileges to execute arbitrary SQL queries through unvalidated input in report functionality. An attacker with report access can extract or modify sensitive database information, though code execution is not possible through this vector. A patch is available in version 1.6.6 and later.

Technical ContextAI

The GLPI Inventory Plugin is a network discovery, inventory management, and software deployment component for GLPI (Gestionnaire Libre de Parc Informatique), an open-source IT asset management solution. According to CPE data (cpe:2.3:a:glpi-project:glpi-inventory-plugin), the affected product is maintained by the GLPI Project. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a classic injection flaw where untrusted data is incorporated into SQL queries without proper validation or parameterization. The vulnerability specifically manifests in the reports functionality, where user-supplied input is passed directly to database queries, allowing attackers to manipulate SQL syntax and alter query logic.

RemediationAI

Upgrade the GLPI Inventory Plugin to version 1.6.6 or later, which contains fixes for the SQL injection vulnerability as documented in the GitHub Security Advisory at https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx. Organizations should prioritize this update for all GLPI installations using the inventory plugin. Until patching is completed, consider implementing compensating controls such as restricting access to the reports functionality through role-based access controls, limiting privileges for users who do not require report generation capabilities, and monitoring database query logs for suspicious SQL patterns or anomalous data access attempts. Review and audit user accounts with access to reporting features to ensure principle of least privilege.

Share

CVE-2026-26001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy