Glpi Project Glpi Project

  1. Vendors
  2. Glpi Project

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Glpi Project product.

RSS Feeds for Glpi Project security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Glpi Project products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Glpi Project Sorted by Most Security Vulnerabilities since 2018

Glpi Project Glpi168 vulnerabilities

Glpi Project Glpi Agent3 vulnerabilities

Glpi Project Glpi Inventory2 vulnerabilities

Glpi Project Activity1 vulnerability

Glpi Project Barcode1 vulnerability

Glpi Project Cmdb1 vulnerability

Glpi Project Dashboard1 vulnerability

Glpi Project Manageentities1 vulnerability

Glpi Project Order1 vulnerability

Glpi Project Positions1 vulnerability

Glpi Project Reports1 vulnerability

By the Year

In 2026 there have been 10 vulnerabilities in Glpi Project with an average score of 6.3 out of ten. Last year, in 2025 Glpi Project had 21 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Glpi Project in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.47




Year Vulnerabilities Average Score
2026 10 6.26
2025 21 6.73
2024 34 7.01
2023 41 7.49
2022 32 6.60
2021 16 6.21
2020 18 6.53
2019 6 4.45
2018 3 8.80

It may take a day or so for new Glpi Project vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Glpi Project Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-26001 Mar 17, 2026
GLPI Inventory Plugin <=1.6.5 SQLi via unsanitized report input The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.
Glpi
CVE-2026-25937 Mar 17, 2026
GLPI MFA Bypass v11.0.0-11.0.5 (Fix in 11.0.6) GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.
Glpi
CVE-2026-25936 Mar 17, 2026
GLPI <11.0.6 Authenticated SQLi GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
Glpi
CVE-2026-22248 Mar 11, 2026
GLPI 11.0.0-11.0.4 PHP File Upload Execution (pre-11.0.5) GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.
Glpi
CVE-2026-25590 Mar 03, 2026
GLPI Inventory Plugin 1.6.6 Reflected XSS in Task Jobs (Before 1.6.6) The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.
Glpi
CVE-2026-22044 Feb 04, 2026
GLPI 0.8510.0.23 Authenticated SQL Injection GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
Glpi
CVE-2026-23624 Feb 04, 2026
GLPI SSO session hijacking in v0.71-10.0.23/11.0.5 GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .
Glpi
CVE-2026-22247 Feb 04, 2026
GLPI SSRF via Webhook before 11.0.5 GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
Glpi
CVE-2025-66417 Jan 15, 2026
GLPI 11.0.0-11.0.3 SQLi via inventory endpoint (unauthenticated) GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
Glpi
CVE-2025-64516 Jan 15, 2026
GLPI Unauthorized Document Access Pre 10.0.21/11.0.3 GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
Glpi
CVE-2023-53943 Dec 18, 2025
GLPI 9.5.7 Username enumeration via password reset GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
Glpi
CVE-2025-64520 Dec 16, 2025
GLPI 9.1.0-<10.0.21: API Exposes Knowledge Base (CVE-2025-64520) GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
Glpi
CVE-2025-59935 Dec 16, 2025
GLPI 10.0.0-10.0.20 XSS via Inventory Endpoint before 10.0.21 GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
Glpi
CVE-2025-32786 Nov 04, 2025
GLPI Inventory Plugin <=1.5.0 SQL Injection (fixed 1.5.1) The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1.
Glpi
CVE-2025-53111 Jul 30, 2025
GLPI 0.80-10.0.18 Unauth Access (CVE-2025-53111) GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.
Glpi
CVE-2025-53112 Jul 30, 2025
GLPI 9.1-10.0.18 Permission Check RCE GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19.
Glpi
CVE-2025-53113 Jul 30, 2025
GLPI 0.65-10.0.18 External Links Info Disclosure (fixed 10.0.19) GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19.
Glpi
CVE-2025-53357 Jul 30, 2025
GLPI Privilege Escalation: Alter Reservations 0.78-10.0.18 (Fixed 10.0.19) GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.
Glpi
CVE-2025-52567 Jul 30, 2025
GLPI <10.0.19 SSRF in RSS/External Calendar Planning (CVE-2025-52567) GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19.
Glpi
CVE-2025-52897 Jul 30, 2025
GLPI 10.0.18 Planning Feature XSS/Phishing Vulnerability GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19.
Glpi
CVE-2025-53008 Jul 30, 2025
Credential Theft via Malicious Payload in GLPI 9.3.1-10.0.19 GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19.
Glpi
CVE-2025-27514 Jul 29, 2025
GLPI <=10.0.18 Stored XSS Kanban (fixed 10.0.19) GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19.
Glpi
CVE-2025-21619 Mar 18, 2025
GLPI SQLi in Rules Config Forms Before 10.0.18 GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.
Glpi
CVE-2025-24799 Mar 18, 2025
GLPI Unauth SQLi via inventory endpoint before 10.0.18 GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
Glpi
CVE-2025-24801 Mar 18, 2025
GLPI <10.0.18 Remote PHP Upload & Exec via Authenticated User GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
Glpi
CVE-2025-25192 Feb 25, 2025
GLPI <10.0.18: Low Privilege Can Enable Debug Mode & Leak Sensitive Data GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
Glpi
CVE-2025-23046 Feb 25, 2025
GLPI OauthIMAP Auth Flaw in Mail Servers (v9.5.0-10.0.18) GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.
Glpi
CVE-2024-11955 Feb 25, 2025
GLPI <10.0.18 Open Redirect via /index.php redirect A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.
Glpi
CVE-2025-23024 Feb 25, 2025
GLPI <10.0.18 Anonymous Disables All Plugins GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
Glpi
CVE-2025-21627 Feb 25, 2025
GLPI <=10.0.17: Reflected XSS on search page (CVE-2025-21627) GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.
Glpi
CVE-2025-21626 Feb 25, 2025
GLPI <10.0.18 Anonymous Info Disclosure via status.php GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.
Glpi
CVE-2024-50339 Dec 12, 2024
GLPI 9.5.0-10.0.17 Unauth Session ID Retrieval & Hijacking GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
Glpi
CVE-2024-48912 Dec 11, 2024
GLPI User Account Deletion Vulnerability GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.
Glpi
CVE-2024-47761 Dec 11, 2024
GLPI Privilege Escalation Vulnerability in Notification System GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
Glpi
CVE-2024-47760 Dec 11, 2024
GLPI API Privilege Escalation Vulnerability GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
Glpi
CVE-2024-47758 Dec 11, 2024
GLPI API Privilege Escalation Vulnerability GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.
Glpi
CVE-2024-43416 Nov 18, 2024
GLPI 0.8010.0.16: Unauthenticated Email Enumeration via Endpoint GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.
Glpi
CVE-2024-38370 Nov 15, 2024
GLPI API Document Access Control Vulnerability GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.
Glpi
CVE-2024-45610 Nov 15, 2024
GLPI Cable Form Reflected XSS Vulnerability GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.
Glpi
CVE-2024-45611 Nov 15, 2024
GLPI Access Control Bypass and Stored XSS Vulnerability GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.
Glpi
CVE-2024-45609 Nov 15, 2024
GLPI Reflected XSS Vulnerability in Reports Pages GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.
Glpi
CVE-2024-45608 Nov 15, 2024
SQL Injection Vulnerability in GLPI User Preferences GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.
Glpi
CVE-2024-43418 Nov 15, 2024
GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in Technician Interface GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
Glpi
CVE-2024-43417 Nov 15, 2024
GLPI Software Form Reflected XSS Vulnerability GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.
Glpi
CVE-2024-41679 Nov 15, 2024
SQL Injection Vulnerability in GLPI Ticket Form GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.
Glpi
CVE-2024-41678 Nov 15, 2024
GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in User Interface GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
Glpi
CVE-2024-47759 Nov 15, 2024
GLPI SVG File Script Execution Vulnerability GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.
Glpi
CVE-2024-40638 Nov 15, 2024
GLPI SQL Injection Vulnerability in User Account Management GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
Glpi
CVE-2024-37148 Jul 10, 2024
SQL Injection in GLPI AJAX (10.0.16) GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.
Glpi
CVE-2024-37149 Jul 10, 2024
GLPI Plugin Loader RCE via Authenticated PHP Upload (10.0.15) GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.
Glpi
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.