CVE-2026-13490
published 2026-06-28CVE-2026-13490: A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file…
PriorityP421low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.31%
22.6th percentile
A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be executed remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
| glpi-project | glpi | — | — |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7.
ghsa_unreviewed·2026-06-28
CVE-2026-13490 [MEDIUM] CWE-285 A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7.
A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be executed remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure.
VulDB
glpi-project glpi 11.0.5/11.0.6/11.0.7 Document front/document.send.php Document::canViewFile docid authorization
vuldb·2026-06-27
CVE-2026-13490 [LOW] glpi-project glpi 11.0.5/11.0.6/11.0.7 Document front/document.send.php Document::canViewFile docid authorization
A vulnerability classified as critical was found in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass.
This vulnerability is documented as CVE-2026-13490. The attack can be executed remotely. There is not any exploit available.
The vendor was contacted early about this disclosure.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-28
Published