CVE-2026-25936
published 2026-03-17CVE-2026-25936: GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL…
PriorityP357high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.34%
25.7th percentile
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
| teclib-edition | glpi | <= 11.0.6 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-22044 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-22044 [MEDIUM] CVE-2026-22044 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22044 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
Source : NVD
## 8.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity HIGH Has Fix Added at: Feb 08, 2026
Windows Severity HIGH Has Fix Added at: Feb 08, 2026
Linux Severity HIGH Has Fix Added at: Feb 09, 2026
Windows Se
Wiz
CVE-2023-53943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2023-53943 [MEDIUM] CVE-2023-53943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-53943 :
GLPI vulnerability analysis and mitigation
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
Source : NVD
## 6.9
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.9
Affected Technologies
GLPI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added a
Wiz
CVE-2025-64516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-64516 [HIGH] CVE-2025-64516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64516 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
Source : NVD
## 7.5
Score
Published January 15, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
GLPI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity HIGH Has Fix Added at: J
Wiz
CVE-2026-22248 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-22248 [MEDIUM] CVE-2026-22248 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22248 :
GLPI vulnerability analysis and mitigation
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.
Source : NVD
## 8.8
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.0
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 41.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
NVD
Linux Severity HIG
Wiz
CVE-2025-64520 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-64520 [MEDIUM] CVE-2025-64520 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64520 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added at: Dec 17, 2025
Windows Severity MEDIUM Has Fix Added at: Dec 17, 2025
Linux
Wiz
CVE-2026-22247 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-22247 [MEDIUM] CVE-2026-22247 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22247 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
Source : NVD
## 9.1
Score
Published February 4, 2026
Severity CRITICAL
CNA Score 4.1
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity CRITICAL Has Fix Added at: Feb 08, 2026
Windows Severity CRITICAL Has Fix Added at: Feb 08, 2026
Linux Severity CRITICAL Has
Wiz
CVE-2026-25937 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-25937 [MEDIUM] CVE-2026-25937 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25937 :
GLPI vulnerability analysis and mitigation
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.
Source : NVD
## 6.5
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
NVD
Linux Severity MEDIUM Has Fix Added at: Mar 19, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 19, 2026
## G
Wiz
CVE-2025-66417 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66417 [HIGH] CVE-2025-66417 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66417 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
Source : NVD
## 9.8
Score
Published January 15, 2026
Severity CRITICAL
CNA Score 7.5
Affected Technologies
GLPI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity CRITICAL Has Fix Added at: Jan 18, 2026
Windows Severity CRITICAL Has Fix Added at: Jan 18, 2026
Linux Severity CRITICAL Has Fix Added a
Wiz
CVE-2026-25936 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-25936 [MEDIUM] CVE-2026-25936 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25936 :
GLPI vulnerability analysis and mitigation
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
Source : NVD
## 8.8
Score
Published March 17, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
NVD
Linux Severity HIGH Has Fix Added at: Mar 19, 2026
Windows Severity HIGH Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-23624 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-23624 [MEDIUM] CVE-2026-23624 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23624 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .
Source : NVD
## 6.5
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added at: Feb 0
Wiz
CVE-2025-59935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-59935 [MEDIUM] CVE-2025-59935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59935 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added at: Dec 17, 2025
Windows Severity MEDIUM Has Fix Added at: Dec 17, 2025
L
2026-03-17
Published