CVE-2026-26263
published 2026-04-06CVE-2026-26263: GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.74%
94.5th percentile
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
| glpi-project | glpi | >= 11.0.0 < 11.0.6 | 11.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is an unauthenticated time-based blind SQL injection in GLPI's Search engine, affecting versions 11.0.0 to before 11.0.6. Monitor for anomalous time-delay patterns (e.g., SLEEP/WAITFOR-based payloads) in unauthenticated requests to GLPI search endpoints. ↗
- →No authentication is required to trigger this SQLi. Any unauthenticated HTTP request hitting GLPI search functionality on versions 11.0.0–11.0.5 should be treated as suspicious and investigated for SQL injection payloads. ↗
- ·The vulnerability is fixed in GLPI 11.0.6. Only GLPI instances running versions 11.0.0 through 11.0.5 are affected. Instances on the 10.x branch are not affected by this specific CVE. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
glpi-project glpi up to 11.0.5 Search Engine sql injection (GHSA-346p-qj3v-9rxj / Nessus ID 305617)
vuldb·2026-04-13·CVSS 8.1
CVE-2026-26263 [HIGH] glpi-project glpi up to 11.0.5 Search Engine sql injection (GHSA-346p-qj3v-9rxj / Nessus ID 305617)
A vulnerability classified as critical has been found in glpi-project glpi up to 11.0.5. The impacted element is an unknown function of the component Search Engine. The manipulation leads to sql injection.
This vulnerability is documented as CVE-2026-26263. The attack can be initiated remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
OSV
CVE-2026-26263: GLPI is a free asset and IT management software package
osv·2026-04-07·CVSS 9.8
CVE-2026-26263 [CRITICAL] CVE-2026-26263: GLPI is a free asset and IT management software package
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-29047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-29047 [HIGH] CVE-2026-29047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29047 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Source : NVD
## 8.8
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity HIGH Has Fix Added at: Apr 09, 2026
Windows Severity HIGH Has Fix Added at: Apr 09, 2026
Linux Severity HIGH Has Fix Ad
Wiz
CVE-2026-26263 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26263 [HIGH] CVE-2026-26263 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26263 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Source : NVD
## 9.8
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity CRITICAL Has Fix Added at: Apr 09, 2026
Windows Severity CRITICAL Has Fix Added at: Apr 09, 2026
Linux Severity CRITICAL Has Fix Added a
Wiz
CVE-2026-26026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26026 [HIGH] CVE-2026-26026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26026 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
Source : NVD
## 7.2
Score
Published April 6, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity HIGH Has Fix Added at: Apr 09, 2026
Windows Severity HIGH Has Fix Added at: Apr 09, 2026
Linux Severity HIGH Has Fix Added at: Apr 10, 2026
Windows Severity HIGH Has Fix
Wiz
CVE-2026-25932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-25932 [HIGH] CVE-2026-25932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25932 :
GLPI vulnerability analysis and mitigation
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
Source : NVD
## 4.8
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 7.2
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added at: Apr 09, 2026
Windows Severity MEDIUM Has Fix Added at: Apr 09, 2026
Linux Severity MEDIUM Has Fix Added at: Apr 10,
Wiz
CVE-2026-26027 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26027 [HIGH] CVE-2026-26027 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26027 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
Source : NVD
## 6.1
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 7.5
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added at: Apr 09, 2026
Windows Severity MEDIUM Has Fix Added at: Apr 09, 2026
Linux Severity MEDIUM Has Fix Added at: Apr 10,
2026-04-06
Published