cbcvebase.

Glpi-Project Glpi vulnerabilities

202 known vulnerabilities affecting glpi-project/glpi.

Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3

Vulnerabilities

Page 4 of 11
CVE-2017-11474P3CRITICALCVSS 9.8≤ 9.1.5.02017-07-20
CVE-2017-11474 [CRITICAL] CWE-89 CVE-2017-11474: GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.ph GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
nvd
CVE-2025-53105P3HIGHCVSS 7.5v>= 10.0.0, < 10.0.192025-08-27
CVE-2025-53105 [HIGH] CWE-269 CVE-2025-53105: GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management So GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in
nvd
CVE-2025-64516P3HIGHCVSS 7.5≥ 10.0.0, < 10.0.21≥ 11.0.0, < 11.0.3+2 more2026-01-15
CVE-2025-64516 [HIGH] CWE-284 CVE-2025-64516: GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorize GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.
nvd
CVE-2023-41323P3MEDIUMCVSS 5.3≥ 0.68, < 10.0.10v>= 0.68, < 10.0.102023-09-27
CVE-2023-41323 [MEDIUM] CWE-200 CVE-2023-41323: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
nvd
CVE-2023-37278P3CRITICALCVSS 9.1fixed in 10.0.9v>= 9.5.0, < 10.0.92023-07-13
CVE-2023-37278 [CRITICAL] CWE-89 CVE-2023-37278: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.
nvd
CVE-2018-13049P3HIGHCVSS 8.8≥ 9.2.0, ≤ 9.3.02018-07-02
CVE-2018-13049 [HIGH] CWE-89 CVE-2018-13049: The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php.
nvd
CVE-2017-11475P3HIGHCVSS 8.8≤ 9.1.5.02017-07-20
CVE-2017-11475 [HIGH] CWE-89 CVE-2017-11475: GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.
nvd
CVE-2023-22500P3HIGHCVSS 7.5≥ 10.0.0, < 10.0.6v>= 10.0.0, < 10.0.62023-01-26
CVE-2023-22500 [HIGH] CWE-863 CVE-2023-22500: GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As
nvd
CVE-2024-27756P3HIGHCVSS 8.8≤ 10.0.122024-03-15
CVE-2024-27756 [HIGH] CWE-94 CVE-2024-27756: GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a craft GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title.
nvd
CVE-2020-15176P3HIGHCVSS 8.6fixed in 9.5.2v>= 0.6.8, < 9.5.22020-10-07
CVE-2020-15176 [HIGH] CWE-89 CVE-2020-15176: In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version
nvd
CVE-2023-35939P3HIGHCVSS 8.1≥ 9.5.0, < 10.0.8v>= 9.5.0, < 10.0.82023-07-05
CVE-2023-35939 [HIGH] CWE-284 CVE-2023-35939: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.
nvd
CVE-2025-23046P3HIGHCVSS 7.5≥ 9.5.0, < 10.0.18v>= 9.5.0, < 10.0.182025-02-25
CVE-2025-23046 [HIGH] CWE-303 CVE-2025-23046: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.1
nvd
CVE-2026-5385P3HIGHCVSS 8.4fixed in 11.0.72026-06-02
CVE-2026-5385 [HIGH] CWE-79 CVE-2026-5385: An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowle An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7.
nvd
CVE-2024-48912P3HIGHCVSS 8.1≥ 10.0.0, < 10.0.17v>= 10.0.0, < 10.0.172024-12-11
CVE-2024-48912 [HIGH] CWE-284 CVE-2024-48912: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.
nvd
CVE-2018-7562P3HIGHCVSS 7.5≤ 9.2.12018-03-12
CVE-2018-7562 [HIGH] CWE-362 CVE-2018-7562: A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that a A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of secu
nvd
CVE-2023-35940P3HIGHCVSS 7.5≥ 9.5.0, < 10.0.8v>= 9.5.0, < 10.0.82023-07-05
CVE-2023-35940 [HIGH] CWE-284 CVE-2023-35940: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.
nvd
CVE-2024-47761P3HIGHCVSS 7.2≥ 0.80, < 10.0.17v>= 0.80, < 10.0.172024-12-11
CVE-2024-47761 [HIGH] CWE-287 CVE-2024-47761: GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
nvd
CVE-2026-26026P3HIGHCVSS 7.2≥ 11.0.0, < 11.0.6v>= 11.0.0, < 11.0.62026-04-06
CVE-2026-26026 [HIGH] CWE-94 CVE-2026-26026: GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template inje GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
nvd
CVE-2014-8360P3HIGHCVSS 7.5≤ 0.84.72015-04-14
CVE-2014-8360 [HIGH] CWE-22 CVE-2014-8360: Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote a Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
nvdosv
CVE-2024-50339P3MEDIUMCVSS 5.3≥ 9.5.0, < 10.0.17v>= 9.5.0, < 10.0.172024-12-12
CVE-2024-50339 [MEDIUM] CWE-79 CVE-2024-50339: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
nvd
Glpi-Project Glpi vulnerabilities | cvebase