cbcvebase.

Glpi-Project Glpi vulnerabilities

202 known vulnerabilities affecting glpi-project/glpi.

Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3

Vulnerabilities

Page 3 of 11
CVE-2019-14666P3HIGHCVSS 8.8≤ 9.4.32019-09-25
CVE-2019-14666 [HIGH] CWE-200 CVE-2019-14666: GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletio GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control o
nvd
CVE-2026-29047P3HIGHCVSS 8.8≥ 10.0.0, < 10.0.24≥ 11.0.0, < 11.0.6+2 more2026-04-06
CVE-2026-29047 [HIGH] CWE-89 CVE-2026-29047: GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, a GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
nvd
CVE-2026-22248P3HIGHCVSS 8.8v>= 11.0.0, < 11.0.52026-03-11
CVE-2026-22248 [HIGH] CWE-502 CVE-2026-22248: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.
nvd
CVE-2023-28634P3HIGHCVSS 8.8≥ 0.83, < 9.5.13≥ 10.0.0, < 10.0.7+2 more2023-04-05
CVE-2023-28634 [HIGH] CWE-285 CVE-2023-28634: GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation.
nvd
CVE-2023-41324P3HIGHCVSS 8.8≥ 9.3.0, < 10.0.10v>= 9.3.0, < 10.0.102023-09-27
CVE-2023-41324 [HIGH] CWE-269 CVE-2023-41324: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workaro
nvd
CVE-2024-47760P3HIGHCVSS 8.8≥ 9.1.0, < 10.0.17v>= 9.1.0, < 10.0.172024-12-11
CVE-2024-47760 [HIGH] CWE-284 CVE-2024-47760: GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
nvd
CVE-2024-47758P3HIGHCVSS 8.8≥ 9.3.0, < 10.0.17v>= 9.3.0, < 10.0.172024-12-11
CVE-2024-47758 [HIGH] CWE-284 CVE-2024-47758: GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.
nvd
CVE-2015-7684P3CRITICALCVSS 9.0≤ 0.85.22015-10-05
CVE-2015-7684 [CRITICAL] CVE-2015-7684: Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrar Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.
nvd
CVE-2025-21619P3CRITICALCVSS 9.8≥ 0.78, < 10.0.18v>= 0.78, < 10.0.182025-03-18
CVE-2025-21619 [CRITICAL] CWE-89 CVE-2025-21619: GLPI is a free asset and IT management software package. An administrator user can perfom a SQL inje GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.
nvd
CVE-2023-42462P3CRITICALCVSS 9.1≥ 10.0.0, < 10.0.10v>= 10.0.0, < 10.0.102023-09-27
CVE-2023-42462 [CRITICAL] CWE-22 CVE-2023-42462: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vuln
nvd
CVE-2026-22247P3CRITICALCVSS 9.1≥ 11.0.0, < 11.0.5v>= 11.0.0, < 11.0.52026-02-04
CVE-2026-22247 [CRITICAL] CWE-918 CVE-2026-22247: GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLP GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
nvd
CVE-2024-45608P3HIGHCVSS 8.8≥ 9.5.0, < 10.0.17v>= 9.5.0, < 10.0.172024-11-15
CVE-2024-45608 [HIGH] CWE-89 CVE-2024-45608: GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL inje GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.
nvd
CVE-2024-41679P3HIGHCVSS 8.8≥ 10.0.0, < 10.0.17v>= 10.0.0, < 10.0.172024-11-15
CVE-2024-41679 [HIGH] CWE-89 CVE-2024-41679: GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL inj GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.
nvd
CVE-2023-28838P3HIGHCVSS 8.1≥ 0.50, < 9.5.13≥ 10.0.0, < 10.0.7+2 more2023-04-05
CVE-2023-28838 [HIGH] CWE-89 CVE-2023-28838: GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
nvd
CVE-2017-11184P3CRITICALCVSS 9.8≤ 9.1.42017-07-28
CVE-2017-11184 [CRITICAL] CWE-89 CVE-2017-11184: SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.
nvd
CVE-2017-11329P3CRITICALCVSS 9.8≤ 9.1.42017-07-17
CVE-2017-11329 [CRITICAL] CWE-89 CVE-2017-11329: GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restr GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.
nvd
CVE-2022-39234P3HIGHCVSS 8.8fixed in 10.0.42022-11-03
CVE-2022-39234 [HIGH] CWE-613 CVE-2022-39234: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. T
nvd
CVE-2023-51446P3HIGHCVSS 8.1≥ 0.70, < 10.0.12v>= 0.70, < 10.0.122024-02-01
CVE-2023-51446 [HIGH] CWE-74 CVE-2023-51446: GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.
nvd
CVE-2021-39213P3HIGHCVSS 8.8≥ 9.1, < 9.5.6v>= 9.1, < 9.5.62021-09-15
CVE-2021-39213 [HIGH] CWE-74 CVE-2021-39213: GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to versio GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.
nvd
CVE-2023-28632P3HIGHCVSS 8.1≥ 0.83, < 9.5.13≥ 10.0.0, < 10.0.7+2 more2023-04-05
CVE-2023-28632 [HIGH] CWE-269 CVE-2023-28632: GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notification
nvd
Glpi-Project Glpi vulnerabilities | cvebase