Glpi Project Glpi

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Glpi Project Glpi.

By the Year

In 2026 there have been 10 vulnerabilities in Glpi Project Glpi with an average score of 6.3 out of ten. Last year, in 2025 Glpi had 21 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Glpi in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.47

Year	Vulnerabilities	Average Score
2026	10	6.26
2025	21	6.73
2024	32	6.96
2023	35	7.43
2022	29	6.55
2021	14	6.26
2020	18	6.53
2019	6	4.45
2018	3	8.80

It may take a day or so for new Glpi vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Glpi Project Glpi Security Vulnerabilities

GLPI Inventory Plugin <=1.6.5 SQLi via unsanitized report input
CVE-2026-26001 7.1 - High - March 17, 2026

The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.

SQL Injection

GLPI MFA Bypass v11.0.0-11.0.5 (Fix in 11.0.6)
CVE-2026-25937 6.5 - Medium - March 17, 2026

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

authentification

GLPI <11.0.6 Authenticated SQLi
CVE-2026-25936 6.5 - Medium - March 17, 2026

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.

SQL Injection

GLPI 11.0.0-11.0.4 PHP File Upload Execution (pre-11.0.5)
CVE-2026-22248 8.1 - High - March 11, 2026

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.

Marshaling, Unmarshaling

GLPI Inventory Plugin 1.6.6 Reflected XSS in Task Jobs (Before 1.6.6)
CVE-2026-25590 4.5 - Medium - March 03, 2026

The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.

XSS

GLPI 0.8510.0.23 Authenticated SQL Injection
CVE-2026-22044 6.5 - Medium - February 04, 2026

GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.

SQL Injection

GLPI SSO session hijacking in v0.71-10.0.23/11.0.5
CVE-2026-23624 4.3 - Medium - February 04, 2026

GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .

Session Fixation

GLPI SSRF via Webhook before 11.0.5
CVE-2026-22247 4.1 - Medium - February 04, 2026

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.

SSRF

GLPI 11.0.0-11.0.3 SQLi via inventory endpoint (unauthenticated)
CVE-2025-66417 7.5 - High - January 15, 2026

GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.

SQL Injection

GLPI Unauthorized Document Access Pre 10.0.21/11.0.3
CVE-2025-64516 7.5 - High - January 15, 2026

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.

Authorization

GLPI 9.5.7 Username enumeration via password reset
CVE-2023-53943 5.3 - Medium - December 18, 2025

GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.

Side Channel Attack

GLPI 9.1.0-<10.0.21: API Exposes Knowledge Base (CVE-2025-64520)
CVE-2025-64520 6.5 - Medium - December 16, 2025

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.

AuthZ

GLPI 10.0.0-10.0.20 XSS via Inventory Endpoint before 10.0.21
CVE-2025-59935 6.5 - Medium - December 16, 2025

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.

XSS

GLPI Inventory Plugin <=1.5.0 SQL Injection (fixed 1.5.1)
CVE-2025-32786 7.5 - High - November 04, 2025

The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1.

SQL Injection

GLPI 0.80-10.0.18 Unauth Access (CVE-2025-53111)
CVE-2025-53111 - July 30, 2025

GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.

Authorization

GLPI 9.1-10.0.18 Permission Check RCE
CVE-2025-53112 - July 30, 2025

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19.

Authorization

GLPI 0.65-10.0.18 External Links Info Disclosure (fixed 10.0.19)
CVE-2025-53113 - July 30, 2025

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19.

Authorization

GLPI Privilege Escalation: Alter Reservations 0.78-10.0.18 (Fixed 10.0.19)
CVE-2025-53357 - July 30, 2025

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.

Insecure Direct Object Reference / IDOR

GLPI <10.0.19 SSRF in RSS/External Calendar Planning (CVE-2025-52567)
CVE-2025-52567 5 - Medium - July 30, 2025

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19.

SSRF

GLPI 10.0.18 Planning Feature XSS/Phishing Vulnerability
CVE-2025-52897 6.1 - Medium - July 30, 2025

GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19.

Open Redirect

Credential Theft via Malicious Payload in GLPI 9.3.1-10.0.19
CVE-2025-53008 - July 30, 2025

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19.

Insufficiently Protected Credentials

GLPI <=10.0.18 Stored XSS Kanban (fixed 10.0.19)
CVE-2025-27514 5.4 - Medium - July 29, 2025

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19.

XSS

GLPI SQLi in Rules Config Forms Before 10.0.18
CVE-2025-21619 9.8 - Critical - March 18, 2025

GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.

SQL Injection

GLPI Unauth SQLi via inventory endpoint before 10.0.18
CVE-2025-24799 9.8 - Critical - March 18, 2025

GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

SQL Injection

GLPI <10.0.18 Remote PHP Upload & Exec via Authenticated User
CVE-2025-24801 8.8 - High - March 18, 2025

GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.

Unrestricted File Upload

GLPI OauthIMAP Auth Flaw in Mail Servers (v9.5.0-10.0.18)
CVE-2025-23046 7.5 - High - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Incorrect Implementation of Authentication Algorithm

GLPI <10.0.18: Low Privilege Can Enable Debug Mode & Leak Sensitive Data
CVE-2025-25192 6.5 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Information Disclosure

GLPI <10.0.18 Open Redirect via /index.php redirect
CVE-2024-11955 6.1 - Medium - February 25, 2025

A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.

Open Redirect

GLPI <10.0.18 Anonymous Info Disclosure via status.php
CVE-2025-21626 6.5 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

Information Disclosure

GLPI <=10.0.17: Reflected XSS on search page (CVE-2025-21627)
CVE-2025-21627 6.1 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.

XSS

GLPI <10.0.18 Anonymous Disables All Plugins
CVE-2025-23024 4.3 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

AuthZ

GLPI 9.5.0-10.0.17 Unauth Session ID Retrieval & Hijacking
CVE-2024-50339 5.3 - Medium - December 12, 2024

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Session Fixation

GLPI User Account Deletion Vulnerability
CVE-2024-48912 8.1 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI API Privilege Escalation Vulnerability
CVE-2024-47760 8.8 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI Privilege Escalation Vulnerability in Notification System
CVE-2024-47761 7.2 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

authentification

GLPI API Privilege Escalation Vulnerability
CVE-2024-47758 8.8 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI 0.8010.0.16: Unauthenticated Email Enumeration via Endpoint
CVE-2024-43416 5.3 - Medium - November 18, 2024

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.

Information Disclosure

GLPI API Document Access Control Vulnerability
CVE-2024-38370 7.5 - High - November 15, 2024

GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.

AuthZ

GLPI Access Control Bypass and Stored XSS Vulnerability
CVE-2024-45611 5.4 - Medium - November 15, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.

XSS

GLPI Cable Form Reflected XSS Vulnerability
CVE-2024-45610 6.1 - Medium - November 15, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.

XSS

GLPI Reflected XSS Vulnerability in Reports Pages
CVE-2024-45609 6.1 - Medium - November 15, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.

XSS

SQL Injection Vulnerability in GLPI User Preferences
CVE-2024-45608 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.

SQL Injection

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in Technician Interface
CVE-2024-43418 6.1 - Medium - November 15, 2024

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

XSS

GLPI Software Form Reflected XSS Vulnerability
CVE-2024-43417 6.1 - Medium - November 15, 2024

XSS

SQL Injection Vulnerability in GLPI Ticket Form
CVE-2024-41679 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.

SQL Injection

GLPI SVG File Script Execution Vulnerability
CVE-2024-47759 4.8 - Medium - November 15, 2024

GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

XSS

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in User Interface
CVE-2024-41678 6.1 - Medium - November 15, 2024

XSS

GLPI SQL Injection Vulnerability in User Account Management
CVE-2024-40638 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

SQL Injection

SQL Injection in GLPI AJAX (10.0.16)
CVE-2024-37148 8.1 - High - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.

SQL Injection

GLPI Plugin Loader RCE via Authenticated PHP Upload (10.0.15)
CVE-2024-37149 8.8 - High - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

Code Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Glpi Project Glpi or by Glpi Project? Click the Watch button to subscribe.

Glpi Project
Vendor

Glpi Project Glpi
Product

Glpi Project Glpi

Don't miss out!

By the Year

Recent Glpi Project Glpi Security Vulnerabilities

GLPI Inventory Plugin <=1.6.5 SQLi via unsanitized report input CVE-2026-26001 7.1 - High - March 17, 2026

GLPI MFA Bypass v11.0.0-11.0.5 (Fix in 11.0.6) CVE-2026-25937 6.5 - Medium - March 17, 2026

GLPI <11.0.6 Authenticated SQLi CVE-2026-25936 6.5 - Medium - March 17, 2026

GLPI 11.0.0-11.0.4 PHP File Upload Execution (pre-11.0.5) CVE-2026-22248 8.1 - High - March 11, 2026

GLPI Inventory Plugin 1.6.6 Reflected XSS in Task Jobs (Before 1.6.6) CVE-2026-25590 4.5 - Medium - March 03, 2026

GLPI 0.8510.0.23 Authenticated SQL Injection CVE-2026-22044 6.5 - Medium - February 04, 2026

GLPI SSO session hijacking in v0.71-10.0.23/11.0.5 CVE-2026-23624 4.3 - Medium - February 04, 2026

GLPI SSRF via Webhook before 11.0.5 CVE-2026-22247 4.1 - Medium - February 04, 2026

GLPI 11.0.0-11.0.3 SQLi via inventory endpoint (unauthenticated) CVE-2025-66417 7.5 - High - January 15, 2026

GLPI Unauthorized Document Access Pre 10.0.21/11.0.3 CVE-2025-64516 7.5 - High - January 15, 2026

GLPI 9.5.7 Username enumeration via password reset CVE-2023-53943 5.3 - Medium - December 18, 2025

GLPI 9.1.0-<10.0.21: API Exposes Knowledge Base (CVE-2025-64520) CVE-2025-64520 6.5 - Medium - December 16, 2025

GLPI 10.0.0-10.0.20 XSS via Inventory Endpoint before 10.0.21 CVE-2025-59935 6.5 - Medium - December 16, 2025

GLPI Inventory Plugin <=1.5.0 SQL Injection (fixed 1.5.1) CVE-2025-32786 7.5 - High - November 04, 2025

GLPI 0.80-10.0.18 Unauth Access (CVE-2025-53111) CVE-2025-53111 - July 30, 2025

GLPI 9.1-10.0.18 Permission Check RCE CVE-2025-53112 - July 30, 2025

GLPI 0.65-10.0.18 External Links Info Disclosure (fixed 10.0.19) CVE-2025-53113 - July 30, 2025

GLPI Privilege Escalation: Alter Reservations 0.78-10.0.18 (Fixed 10.0.19) CVE-2025-53357 - July 30, 2025

GLPI <10.0.19 SSRF in RSS/External Calendar Planning (CVE-2025-52567) CVE-2025-52567 5 - Medium - July 30, 2025

GLPI 10.0.18 Planning Feature XSS/Phishing Vulnerability CVE-2025-52897 6.1 - Medium - July 30, 2025

Credential Theft via Malicious Payload in GLPI 9.3.1-10.0.19 CVE-2025-53008 - July 30, 2025

GLPI <=10.0.18 Stored XSS Kanban (fixed 10.0.19) CVE-2025-27514 5.4 - Medium - July 29, 2025

GLPI SQLi in Rules Config Forms Before 10.0.18 CVE-2025-21619 9.8 - Critical - March 18, 2025

GLPI Unauth SQLi via inventory endpoint before 10.0.18 CVE-2025-24799 9.8 - Critical - March 18, 2025

GLPI <10.0.18 Remote PHP Upload & Exec via Authenticated User CVE-2025-24801 8.8 - High - March 18, 2025

GLPI OauthIMAP Auth Flaw in Mail Servers (v9.5.0-10.0.18) CVE-2025-23046 7.5 - High - February 25, 2025

GLPI <10.0.18: Low Privilege Can Enable Debug Mode & Leak Sensitive Data CVE-2025-25192 6.5 - Medium - February 25, 2025

GLPI <10.0.18 Open Redirect via /index.php redirect CVE-2024-11955 6.1 - Medium - February 25, 2025

GLPI <10.0.18 Anonymous Info Disclosure via status.php CVE-2025-21626 6.5 - Medium - February 25, 2025

GLPI <=10.0.17: Reflected XSS on search page (CVE-2025-21627) CVE-2025-21627 6.1 - Medium - February 25, 2025

GLPI <10.0.18 Anonymous Disables All Plugins CVE-2025-23024 4.3 - Medium - February 25, 2025

GLPI 9.5.0-10.0.17 Unauth Session ID Retrieval & Hijacking CVE-2024-50339 5.3 - Medium - December 12, 2024

GLPI User Account Deletion Vulnerability CVE-2024-48912 8.1 - High - December 11, 2024

GLPI API Privilege Escalation Vulnerability CVE-2024-47760 8.8 - High - December 11, 2024

GLPI Privilege Escalation Vulnerability in Notification System CVE-2024-47761 7.2 - High - December 11, 2024

GLPI API Privilege Escalation Vulnerability CVE-2024-47758 8.8 - High - December 11, 2024

GLPI 0.8010.0.16: Unauthenticated Email Enumeration via Endpoint CVE-2024-43416 5.3 - Medium - November 18, 2024

GLPI API Document Access Control Vulnerability CVE-2024-38370 7.5 - High - November 15, 2024

GLPI Access Control Bypass and Stored XSS Vulnerability CVE-2024-45611 5.4 - Medium - November 15, 2024

GLPI Cable Form Reflected XSS Vulnerability CVE-2024-45610 6.1 - Medium - November 15, 2024

GLPI Reflected XSS Vulnerability in Reports Pages CVE-2024-45609 6.1 - Medium - November 15, 2024

SQL Injection Vulnerability in GLPI User Preferences CVE-2024-45608 8.8 - High - November 15, 2024

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in Technician Interface CVE-2024-43418 6.1 - Medium - November 15, 2024

GLPI Software Form Reflected XSS Vulnerability CVE-2024-43417 6.1 - Medium - November 15, 2024

SQL Injection Vulnerability in GLPI Ticket Form CVE-2024-41679 8.8 - High - November 15, 2024

GLPI SVG File Script Execution Vulnerability CVE-2024-47759 4.8 - Medium - November 15, 2024

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in User Interface CVE-2024-41678 6.1 - Medium - November 15, 2024

GLPI SQL Injection Vulnerability in User Account Management CVE-2024-40638 8.8 - High - November 15, 2024

SQL Injection in GLPI AJAX (10.0.16) CVE-2024-37148 8.1 - High - July 10, 2024

GLPI Plugin Loader RCE via Authenticated PHP Upload (10.0.15) CVE-2024-37149 8.8 - High - July 10, 2024

Stay on top of Security Vulnerabilities

Glpi Project Vendor

Glpi Project GlpiProduct

GLPI Inventory Plugin <=1.6.5 SQLi via unsanitized report input
CVE-2026-26001 7.1 - High - March 17, 2026

GLPI MFA Bypass v11.0.0-11.0.5 (Fix in 11.0.6)
CVE-2026-25937 6.5 - Medium - March 17, 2026

GLPI <11.0.6 Authenticated SQLi
CVE-2026-25936 6.5 - Medium - March 17, 2026

GLPI 11.0.0-11.0.4 PHP File Upload Execution (pre-11.0.5)
CVE-2026-22248 8.1 - High - March 11, 2026

GLPI Inventory Plugin 1.6.6 Reflected XSS in Task Jobs (Before 1.6.6)
CVE-2026-25590 4.5 - Medium - March 03, 2026

GLPI 0.8510.0.23 Authenticated SQL Injection
CVE-2026-22044 6.5 - Medium - February 04, 2026

GLPI SSO session hijacking in v0.71-10.0.23/11.0.5
CVE-2026-23624 4.3 - Medium - February 04, 2026

GLPI SSRF via Webhook before 11.0.5
CVE-2026-22247 4.1 - Medium - February 04, 2026

GLPI 11.0.0-11.0.3 SQLi via inventory endpoint (unauthenticated)
CVE-2025-66417 7.5 - High - January 15, 2026

GLPI Unauthorized Document Access Pre 10.0.21/11.0.3
CVE-2025-64516 7.5 - High - January 15, 2026

GLPI 9.5.7 Username enumeration via password reset
CVE-2023-53943 5.3 - Medium - December 18, 2025

GLPI 9.1.0-<10.0.21: API Exposes Knowledge Base (CVE-2025-64520)
CVE-2025-64520 6.5 - Medium - December 16, 2025

GLPI 10.0.0-10.0.20 XSS via Inventory Endpoint before 10.0.21
CVE-2025-59935 6.5 - Medium - December 16, 2025

GLPI Inventory Plugin <=1.5.0 SQL Injection (fixed 1.5.1)
CVE-2025-32786 7.5 - High - November 04, 2025

GLPI 0.80-10.0.18 Unauth Access (CVE-2025-53111)
CVE-2025-53111 - July 30, 2025

GLPI 9.1-10.0.18 Permission Check RCE
CVE-2025-53112 - July 30, 2025

GLPI 0.65-10.0.18 External Links Info Disclosure (fixed 10.0.19)
CVE-2025-53113 - July 30, 2025

GLPI Privilege Escalation: Alter Reservations 0.78-10.0.18 (Fixed 10.0.19)
CVE-2025-53357 - July 30, 2025

GLPI <10.0.19 SSRF in RSS/External Calendar Planning (CVE-2025-52567)
CVE-2025-52567 5 - Medium - July 30, 2025

GLPI 10.0.18 Planning Feature XSS/Phishing Vulnerability
CVE-2025-52897 6.1 - Medium - July 30, 2025

Credential Theft via Malicious Payload in GLPI 9.3.1-10.0.19
CVE-2025-53008 - July 30, 2025

GLPI <=10.0.18 Stored XSS Kanban (fixed 10.0.19)
CVE-2025-27514 5.4 - Medium - July 29, 2025

GLPI SQLi in Rules Config Forms Before 10.0.18
CVE-2025-21619 9.8 - Critical - March 18, 2025

GLPI Unauth SQLi via inventory endpoint before 10.0.18
CVE-2025-24799 9.8 - Critical - March 18, 2025

GLPI <10.0.18 Remote PHP Upload & Exec via Authenticated User
CVE-2025-24801 8.8 - High - March 18, 2025

GLPI OauthIMAP Auth Flaw in Mail Servers (v9.5.0-10.0.18)
CVE-2025-23046 7.5 - High - February 25, 2025

GLPI <10.0.18: Low Privilege Can Enable Debug Mode & Leak Sensitive Data
CVE-2025-25192 6.5 - Medium - February 25, 2025

GLPI <10.0.18 Open Redirect via /index.php redirect
CVE-2024-11955 6.1 - Medium - February 25, 2025

GLPI <10.0.18 Anonymous Info Disclosure via status.php
CVE-2025-21626 6.5 - Medium - February 25, 2025

GLPI <=10.0.17: Reflected XSS on search page (CVE-2025-21627)
CVE-2025-21627 6.1 - Medium - February 25, 2025

GLPI <10.0.18 Anonymous Disables All Plugins
CVE-2025-23024 4.3 - Medium - February 25, 2025

GLPI 9.5.0-10.0.17 Unauth Session ID Retrieval & Hijacking
CVE-2024-50339 5.3 - Medium - December 12, 2024

GLPI User Account Deletion Vulnerability
CVE-2024-48912 8.1 - High - December 11, 2024

GLPI API Privilege Escalation Vulnerability
CVE-2024-47760 8.8 - High - December 11, 2024

GLPI Privilege Escalation Vulnerability in Notification System
CVE-2024-47761 7.2 - High - December 11, 2024

GLPI API Privilege Escalation Vulnerability
CVE-2024-47758 8.8 - High - December 11, 2024

GLPI 0.8010.0.16: Unauthenticated Email Enumeration via Endpoint
CVE-2024-43416 5.3 - Medium - November 18, 2024

GLPI API Document Access Control Vulnerability
CVE-2024-38370 7.5 - High - November 15, 2024

GLPI Access Control Bypass and Stored XSS Vulnerability
CVE-2024-45611 5.4 - Medium - November 15, 2024

GLPI Cable Form Reflected XSS Vulnerability
CVE-2024-45610 6.1 - Medium - November 15, 2024

GLPI Reflected XSS Vulnerability in Reports Pages
CVE-2024-45609 6.1 - Medium - November 15, 2024

SQL Injection Vulnerability in GLPI User Preferences
CVE-2024-45608 8.8 - High - November 15, 2024

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in Technician Interface
CVE-2024-43418 6.1 - Medium - November 15, 2024

GLPI Software Form Reflected XSS Vulnerability
CVE-2024-43417 6.1 - Medium - November 15, 2024

SQL Injection Vulnerability in GLPI Ticket Form
CVE-2024-41679 8.8 - High - November 15, 2024

GLPI SVG File Script Execution Vulnerability
CVE-2024-47759 4.8 - Medium - November 15, 2024

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in User Interface
CVE-2024-41678 6.1 - Medium - November 15, 2024

GLPI SQL Injection Vulnerability in User Account Management
CVE-2024-40638 8.8 - High - November 15, 2024

SQL Injection in GLPI AJAX (10.0.16)
CVE-2024-37148 8.1 - High - July 10, 2024

GLPI Plugin Loader RCE via Authenticated PHP Upload (10.0.15)
CVE-2024-37149 8.8 - High - July 10, 2024

Glpi Project
Vendor

Glpi Project Glpi
Product