CVE-2025-21626 — Sensitive Information Exposure in Glpi

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 54.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedFeb 25

Description

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDglpi-project/glpi0.71 — 10.0.18

▶CVEListV5glpi-project/glpi>= 0.71, < 10.0.18

🔴Vulnerability Details

OSV

CVE-2025-21626: GLPI is a free asset and IT management software package↗2025-02-25

▶