EUVD-2026-19249
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Analysis
SQL injection in GLPI asset management software versions 10.0.0 through 10.0.23 and 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary SQL commands through the logs export feature. The vulnerability requires high-level privileges (PR:H), limiting the attack surface to compromised admin accounts or malicious insiders. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all GLPI instances in your environment and document current versions; disable or restrict access to the logs export feature via role-based access controls and network segmentation. Within 7 days: implement enhanced monitoring and logging of administrator account activity, particularly export and database query operations; enforce multi-factor authentication for all administrative accounts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today