Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable low-complexity injection, but gated by high import privileges (PR:H) and an operator-triggered import (UI:R); demonstrated primitive is blind data read (C:H) with only plausible limited write (I:L).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.
AnalysisAI
Authenticated SQL injection in the GLPI DataInjection plugin 2.15.6 (GLPI 11 builds) lets an operator with access to the Data injection feature smuggle SQL into the database by placing expressions in CSV field values, which the import routine concatenates directly into queries without parameterization or escaping (CWE-89). By mapping a payload such as SLEEP() to a field like Serial Number, an attacker performs time-based blind extraction of arbitrary database contents. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated GLPI user who holds the profile permission to access the Data injection feature (per CVSS PR:H), and it requires that user to actively perform a CSV import of an attacker-crafted file (per UI:A / AT:P) - the payload must be placed in a mapped importable field such as Serial Number. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a moderate, not critical, real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A helpdesk or asset-management operator who legitimately holds the Data injection permission (or an attacker who has compromised such an account) crafts a CSV file where a mapped field such as Serial Number contains an SQL payload like a SLEEP() expression. When the file is imported through the plugin, the value is concatenated into the generated query and executed, and by observing response timing the attacker performs time-based blind extraction of database contents. … |
| Remediation | Upgrade the plugin to the fixed release - Vendor-released patch: 2.15.7 (https://github.com/pluginsGLPI/datainjection/releases/tag/2.15.7) - which is the primary and complete fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all user accounts with Data Injection feature access and review recent import logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42993
GHSA-q93h-qc46-87rr