cbcvebase.
CVE-2026-26263
published 2026-04-06

CVE-2026-26263: GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.74%
94.5th percentile
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 11.0.0 < 11.0.611.0.6

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is an unauthenticated time-based blind SQL injection in GLPI's Search engine, affecting versions 11.0.0 to before 11.0.6. Monitor for anomalous time-delay patterns (e.g., SLEEP/WAITFOR-based payloads) in unauthenticated requests to GLPI search endpoints.
  • No authentication is required to trigger this SQLi. Any unauthenticated HTTP request hitting GLPI search functionality on versions 11.0.0–11.0.5 should be treated as suspicious and investigated for SQL injection payloads.
  • ·The vulnerability is fixed in GLPI 11.0.6. Only GLPI instances running versions 11.0.0 through 11.0.5 are affected. Instances on the 10.x branch are not affected by this specific CVE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.