Glpi-Project Glpi vulnerabilities
202 known vulnerabilities affecting glpi-project/glpi.
Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3
Vulnerabilities
Page 2 of 11
CVE-2026-26263P2CRITICALCVSS 9.8≥ 11.0.0, < 11.0.6v>= 11.0.0, < 11.0.62026-04-06
CVE-2026-26263 [CRITICAL] CWE-89 CVE-2026-26263: GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenti
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
nvd
CVE-2021-21327P3HIGHCVSS 7.5PoCfixed in 9.5.42021-03-08
CVE-2021-21327 [HIGH] CWE-862 CVE-2021-21327: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”.
nvd
CVE-2024-37149P2HIGHCVSS 8.8≥ 0.85, < 10.0.16v>= 0.85, < 10.0.162024-07-10
CVE-2024-37149 [HIGH] CWE-73 CVE-2024-37149: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.
nvd
CVE-2013-2225P3MEDIUMCVSS 6.4PoC≤ 0.83.9v0.5+55 more2014-05-27
CVE-2013-2225 [MEDIUM] CVE-2013-2225: inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP
inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php.
nvdosv
CVE-2013-5696P3MEDIUMCVSS 6.8PoC≤ 0.84.1v0.5+58 more2013-09-23
CVE-2013-5696 [MEDIUM] CWE-352 CVE-2013-5696: inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.
nvdosv
CVE-2013-2226P3HIGHCVSS 7.5PoC≤ 0.83.8v0.83+8 more2014-05-14
CVE-2013-2226 [HIGH] CWE-89 CVE-2013-2226: Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbit
Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to ajax/comments.php.
nvdosv
CVE-2025-24801P2HIGHCVSS 8.8≥ 0.85, < 10.0.18v>= 0.85, < 10.0.182025-03-18
CVE-2025-24801 [HIGH] CWE-434 CVE-2025-24801: GLPI is a free asset and IT management software package. An authenticated user can upload and force
GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.
nvd
CVE-2024-37148P2HIGHCVSS 8.1≥ 0.84, < 10.0.16v>= 0.84, < 10.0.162024-07-10
CVE-2024-37148 [HIGH] CWE-89 CVE-2024-37148: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.
nvd
CVE-2024-27096P3MEDIUMCVSS 6.5≥ 0.65, < 10.0.13v>= 0.65, < 10.0.132024-03-18
CVE-2024-27096 [MEDIUM] CWE-89 CVE-2024-27096: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.
nvd
CVE-2020-11034P3MEDIUMCVSS 6.1PoCfixed in 9.4.62020-05-05
CVE-2020-11034 [MEDIUM] CWE-185 CVE-2020-11034: In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect prote
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
nvd
CVE-2024-31456P3MEDIUMCVSS 6.5≥ 9.3.0, < 10.0.15fixed in 10.0.152024-05-07
CVE-2024-31456 [MEDIUM] CWE-89 CVE-2024-31456: GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.
nvd
CVE-2014-9258P3MEDIUMCVSS 6.5PoC≤ 0.852014-12-19
CVE-2014-9258 [MEDIUM] CWE-89 CVE-2014-9258: SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authent
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
nvd
CVE-2022-35947P3CRITICALCVSS 9.8fixed in 10.0.3v>= 9.1, < 10.0.32022-09-14
CVE-2022-35947 [CRITICAL] CWE-89 CVE-2022-35947: GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Softwa
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users ar
nvd
CVE-2023-42802P2CRITICALCVSS 9.8≥ 10.0.7, < 10.0.10v>= 10.0.7, < 10.0.102023-11-02
CVE-2023-42802 [CRITICAL] CWE-20 CVE-2023-42802: GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server req
nvd
CVE-2025-66417P3CRITICALCVSS 9.8≥ 11.0.0, < 11.0.3v>= 11.0.0, < 11.0.32026-01-15
CVE-2025-66417 [CRITICAL] CWE-89 CVE-2025-66417: GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated u
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
nvd
CVE-2023-46726P3CRITICALCVSS 9.8≥ 10.0.0, < 10.0.11v>= 10.0.0, < 10.0.112023-12-13
CVE-2023-46726 [CRITICAL] CWE-74 CVE-2023-46726: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
nvd
CVE-2026-25936P3HIGHCVSS 8.8v>= 11.0.0, < 11.0.62026-03-17
CVE-2026-25936 [HIGH] CWE-89 CVE-2026-25936: GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to ver
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
nvd
CVE-2023-42461P3CRITICALCVSS 9.8≥ 10.0.0, < 10.0.10v>= 10.0.0, < 10.0.102023-09-27
CVE-2023-42461 [CRITICAL] CWE-89 CVE-2023-42461: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known wo
nvd
CVE-2026-22044P3HIGHCVSS 8.8≥ 0.85, < 10.0.23v>= 0.85, < 10.0.232026-02-04
CVE-2026-22044 [HIGH] CWE-89 CVE-2026-22044: GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an aut
GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.
nvd
CVE-2023-41322P3HIGHCVSS 8.8≥ 9.1.0, < 10.0.10v>= 9.1.0, < 10.0.102023-09-27
CVE-2023-41322 [HIGH] CWE-269 CVE-2023-41322: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to
nvd