Glpi-Project Glpi vulnerabilities
202 known vulnerabilities affecting glpi-project/glpi.
Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3
Vulnerabilities
Page 10 of 11
CVE-2024-47759P4MEDIUMCVSS 4.8≥ 9.2.0, < 10.0.17v>= 9.2.0, < 10.0.172024-11-15
CVE-2024-47759 [MEDIUM] CWE-79 CVE-2024-47759: GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a
GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.
nvd
CVE-2026-25932P4MEDIUMCVSS 4.8≥ 0.60, < 10.0.24v>= 0.60, < 10.0.242026-04-06
CVE-2026-25932 [MEDIUM] CWE-79 CVE-2026-25932: GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticat
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
nvd
CVE-2024-37147P4MEDIUMCVSS 4.3≥ 0.85, < 10.0.16v>= 0.85, < 10.0.162024-07-10
CVE-2024-37147 [MEDIUM] CWE-284 CVE-2024-37147: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.
nvd
CVE-2026-13490P4LOWCVSS 3.7v11.0.5v11.0.6+1 more2026-06-28
CVE-2026-13490 [LOW] CWE-285 CVE-2026-13490: A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects t
A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be executed remotely. This attack is characterized by high comp
nvd
CVE-2021-21325P4MEDIUMCVSS 4.8fixed in 9.5.42021-03-08
CVE-2021-21325 [MEDIUM] CWE-79 CVE-2021-21325: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a cross-site scripting attack. To exploit this endpoint attacker need to be auth
nvd
CVE-2022-39262P4MEDIUMCVSS 4.8≥ 0.65, < 10.0.4fixed in 10.0.42022-11-03
CVE-2022-39262 [MEDIUM] CWE-83 CVE-2022-39262: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4.
nvd
CVE-2021-21312P4MEDIUMCVSS 4.8fixed in 9.5.42021-03-03
CVE-2021-21312 [MEDIUM] CWE-79 CVE-2021-21312: GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Fr
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/document.form.php endpoint), indeed one of the form field: "Web Link
nvd
CVE-2023-28636P4MEDIUMCVSS 4.8≥ 0.60, < 9.5.13≥ 10.0.0, < 10.0.7+2 more2023-04-05
CVE-2023-28636 [MEDIUM] CWE-79 CVE-2023-28636: GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.
nvd
CVE-2022-41941P4MEDIUMCVSS 4.8≥ 0.70, < 9.5.12≥ 10.0.0, < 10.0.6+1 more2023-01-26
CVE-2022-41941 [MEDIUM] CWE-79 CVE-2022-41941: GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6,
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6.
nvd
CVE-2022-39277P4MEDIUMCVSS 4.8≥ 0.60, < 10.0.4v>= 0.60, < 10.0.42022-11-03
CVE-2022-39277 [MEDIUM] CWE-79 CVE-2022-39277: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to
nvd
CVE-2022-39373P4MEDIUMCVSS 4.8≥ 10.0.0, < 10.0.4v>= 10.0.0, < 10.0.42022-11-03
CVE-2022-39373 [MEDIUM] CWE-79 CVE-2022-39373: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to version 10.0.4.
nvd
CVE-2020-27663P4MEDIUMCVSS 4.3fixed in 9.5.32020-11-26
CVE-2020-27663 [MEDIUM] CWE-639 CVE-2020-27663: In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulne
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
nvd
CVE-2020-27662P4MEDIUMCVSS 4.3fixed in 9.5.32020-11-26
CVE-2020-27662 [MEDIUM] CWE-639 CVE-2020-27662: In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability
In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).
nvd
CVE-2022-39370P4MEDIUMCVSS 4.3≥ 0.70, < 10.0.4v>= 0.70, < 10.0.42022-11-03
CVE-2022-39370 [MEDIUM] CWE-284 CVE-2022-39370: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Connected users may gain access to debug panel through the GLPI update script. This issue has been patched, please upgrade to 10.0.4. As a workaround, dele
nvd
CVE-2025-23024P4MEDIUMCVSS 4.3≥ 0.72, < 10.0.18v>= 0.72, < 10.0.182025-02-25
CVE-2025-23024 [MEDIUM] CWE-285 CVE-2025-23024: GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
nvd
CVE-2021-21314P4MEDIUMCVSS 4.8fixed in 9.5.42021-03-03
CVE-2021-21314 [MEDIUM] CWE-79 CVE-2021-21314: GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Fr
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.
nvd
CVE-2023-22724P4MEDIUMCVSS 4.8≥ 10.0.0, < 10.0.6fixed in 10.0.62023-01-26
CVE-2023-22724 [MEDIUM] CWE-79 CVE-2023-22724: GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cro
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript.
nvd
CVE-2023-22725P4MEDIUMCVSS 4.8≥ 0.60, < 9.5.12≥ 10.0.0, < 10.0.6+1 more2023-01-26
CVE-2023-22725 [MEDIUM] CWE-79 CVE-2023-22725: GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 a
GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.
nvd
CVE-2012-4003P4MEDIUMCVSS 4.3≤ 0.83.2v0.5+47 more2012-10-09
CVE-2012-4003 [MEDIUM] CWE-79 CVE-2012-4003: Multiple cross-site scripting (XSS) vulnerabilities in GLPI-PROJECT GLPI before 0.83.3 allow remote
Multiple cross-site scripting (XSS) vulnerabilities in GLPI-PROJECT GLPI before 0.83.3 allow remote attackers to inject arbitrary web script or HTML via unknown vectors.
nvd
CVE-2015-7685P4MEDIUMCVSS 4.0≤ 0.85.22015-10-05
CVE-2015-7685 [MEDIUM] CWE-264 CVE-2015-7685: GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging pe
GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php.
nvd