Glpi-Project Glpi vulnerabilities
202 known vulnerabilities affecting glpi-project/glpi.
Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3
Vulnerabilities
Page 5 of 11
CVE-2022-24867P3HIGHCVSS 7.5fixed in 10.0.02022-04-21
CVE-2022-24867 [HIGH] CWE-200 CVE-2022-24867: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, l
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn.
nvd
CVE-2024-38370P3HIGHCVSS 7.5≥ 9.2.0, < 10.0.16v>= 9.2.0, < 10.0.162024-11-15
CVE-2024-38370 [HIGH] CWE-285 CVE-2024-38370: GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it i
GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.
nvd
CVE-2021-39209P3HIGHCVSS 8.8fixed in 9.5.62021-09-15
CVE-2021-39209 [HIGH] CWE-352 CVE-2021-39209: GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is l
GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading.
nvd
CVE-2026-42321P3HIGHCVSS 8.4v>= 10.0.4, < 10.0.252026-06-03
CVE-2026-42321 [HIGH] CWE-79 CVE-2026-42321: GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
nvd
CVE-2020-11031P3HIGHCVSS 7.5fixed in 9.5.02020-09-23
CVE-2020-11031 [HIGH] CWE-327 CVE-2020-11031: In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data en
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.
nvd
CVE-2020-11032P3HIGHCVSS 7.2v9.4.5fixed in 9.4.62020-05-05
CVE-2020-11032 [HIGH] CWE-89 CVE-2020-11032: In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exp
In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.
nvd
CVE-2026-42318P3HIGHCVSS 7.0v>= 11.0.0, < 11.0.7v>= 9.5.0, < 10.0.252026-06-03
CVE-2026-42318 [HIGH] CWE-862 CVE-2026-42318: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.
nvd
CVE-2026-25937P3MEDIUMCVSS 6.5v>= 11.0.0, < 11.0.62026-03-18
CVE-2026-25937 [MEDIUM] CWE-287 CVE-2026-25937: GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to ver
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.
nvd
CVE-2020-15108P3HIGHCVSS 7.1fixed in 9.5.12020-07-17
CVE-2020-15108 [HIGH] CWE-89 CVE-2020-15108: In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixe
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.
nvd
CVE-2020-11035P3CRITICALCVSS 9.3≥ 0.83.3, < 9.4.6v> 0.83.3, < 9.4.62020-05-05
CVE-2020-11035 [CRITICAL] CWE-327 CVE-2020-11035: In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecu
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
nvd
CVE-2026-42317P3HIGHCVSS 7.0v>= 11.0.0, < 11.0.7v>= 0.78, < 10.0.252026-06-03
CVE-2026-42317 [HIGH] CWE-862 CVE-2026-42317: GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
nvd
CVE-2026-23624P3MEDIUMCVSS 6.5≥ 0.71, < 10.0.23≥ 11.0.0, < 11.0.5+2 more2026-02-04
CVE-2026-23624 [MEDIUM] CWE-384 CVE-2026-23624: GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .
nvd
CVE-2019-10233P3HIGHCVSS 8.1fixed in 9.4.1.12019-03-27
CVE-2019-10233 [HIGH] CWE-203 CVE-2019-10233: Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.
Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.
nvd
CVE-2020-11033P3HIGHCVSS 7.2≥ 9.1, < 9.4.6v>9.1, < 9.4.62020-05-05
CVE-2020-11033 [HIGH] CWE-200 CVE-2020-11033: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype wil
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can
nvd
CVE-2022-35946P3MEDIUMCVSS 6.5fixed in 10.0.3v>= 0.72, < 10.0.32022-09-14
CVE-2022-35946 [MEDIUM] CWE-89 CVE-2022-35946: GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Softwa
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker ca
nvd
CVE-2026-44281P3HIGHCVSS 7.0v>= 11.0.0, < 11.0.7v>= 0.78, < 10.0.252026-06-03
CVE-2026-44281 [HIGH] CWE-862 CVE-2026-44281: GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.
nvd
CVE-2023-23610P3MEDIUMCVSS 6.5≥ 0.65, < 9.5.12≥ 10.0.0, < 10.0.6+2 more2023-01-26
CVE-2023-23610 [MEDIUM] CWE-269 CVE-2023-23610: GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vul
GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched i
nvd
CVE-2023-34106P3MEDIUMCVSS 6.5≥ 0.68, < 10.0.8v>= 0.68, < 10.0.82023-07-05
CVE-2023-34106 [MEDIUM] CWE-284 CVE-2023-34106: GLPI is a free asset and IT management software package. Versions of the software starting with 0.68
GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.
nvd
CVE-2023-34107P3MEDIUMCVSS 6.5≥ 9.2.0, < 10.0.8v>= 9.2.0, < 10.0.82023-07-05
CVE-2023-34107 [MEDIUM] CWE-284 CVE-2023-34107: GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.
GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.
nvd
CVE-2025-21626P3MEDIUMCVSS 6.5≥ 0.71, < 10.0.18v>= 0.71, < 10.0.182025-02-25
CVE-2025-21626 [MEDIUM] CWE-200 CVE-2025-21626: GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensit
nvd