Glpi-Project Glpi vulnerabilities
202 known vulnerabilities affecting glpi-project/glpi.
Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3
Vulnerabilities
Page 6 of 11
CVE-2025-53111P3MEDIUMCVSS 6.5≥ 0.80, < 10.0.19v>= 0.80, < 10.0.192025-07-30
CVE-2025-53111 [MEDIUM] CWE-284 CVE-2025-53111: GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of
GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.
nvd
CVE-2025-53008P3MEDIUMCVSS 6.5≥ 9.3.1, < 10.0.19v>= 9.3.1, < 10.0.192025-07-30
CVE-2025-53008 [MEDIUM] CWE-522 CVE-2025-53008: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19.
nvd
CVE-2024-27937P4MEDIUMCVSS 4.3≥ 10.0.0, < 10.0.13v>= 10.0.0, < 10.0.132024-03-18
CVE-2024-27937 [MEDIUM] CWE-285 CVE-2024-27937: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.
nvd
CVE-2021-21324P3MEDIUMCVSS 6.5fixed in 9.5.42021-03-08
CVE-2021-21324 [MEDIUM] CWE-639 CVE-2021-21324: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users lo
nvd
CVE-2020-26212P3MEDIUMCVSS 6.5fixed in 9.5.32020-11-25
CVE-2020-26212 [MEDIUM] CWE-862 CVE-2020-26212: GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Sof
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce t
nvd
CVE-2024-27930P3MEDIUMCVSS 6.5≥ 0.78, < 10.0.13v>= 0.78, < 10.0.132024-03-18
CVE-2024-27930 [MEDIUM] CWE-285 CVE-2024-27930: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.
nvd
CVE-2022-29250P3MEDIUMCVSS 6.5v10.0.0fixed in 10.0.12022-06-09
CVE-2022-29250 [MEDIUM] CWE-89 CVE-2022-29250: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, l
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this vulnerability a user must be logged in.
nvd
CVE-2023-41321P3MEDIUMCVSS 6.5≥ 9.1.1, < 10.0.10v>= 9.1.1, < 10.0.102023-09-27
CVE-2023-41321 [MEDIUM] CWE-200 CVE-2023-41321: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known
nvd
CVE-2025-25192P3MEDIUMCVSS 6.5fixed in 10.0.182025-02-25
CVE-2025-25192 [MEDIUM] CWE-200 CVE-2025-25192: GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged
GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
nvd
CVE-2026-42320P3MEDIUMCVSS 5.9v>= 11.0.0, < 11.0.7v>= 0.50, < 10.0.252026-06-03
CVE-2026-42320 [MEDIUM] CWE-862 CVE-2026-42320: GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
nvd
CVE-2021-21326P3MEDIUMCVSS 6.5fixed in 9.5.42021-03-08
CVE-2021-21326 [MEDIUM] CWE-862 CVE-2021-21326: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is fixed in version 9.5.4.
nvd
CVE-2022-39376P3MEDIUMCVSS 6.5≥ 0.65, < 10.0.4v>= 0.65, < 10.0.42022-11-03
CVE-2022-39376 [MEDIUM] CWE-20 CVE-2022-39376: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields values in `mailto` links. This issue has been patched, please upgrade to version 10.0.4. There are currently no kn
nvd
CVE-2021-39210P4MEDIUMCVSS 6.5fixed in 9.5.62021-09-15
CVE-2021-39210 [MEDIUM] CWE-1004 CVE-2021-39210: GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used
GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may
nvd
CVE-2012-1037P4MEDIUMCVSS 6.5v0.78v0.78.1+12 more2012-07-12
CVE-2012-1037 [MEDIUM] CWE-94 CVE-2012-1037: PHP remote file inclusion vulnerability in front/popup.php in GLPI 0.78 through 0.80.61 allows remot
PHP remote file inclusion vulnerability in front/popup.php in GLPI 0.78 through 0.80.61 allows remote authenticated users to execute arbitrary PHP code via a URL in the sub_type parameter.
nvd
CVE-2026-40108P4HIGHCVSS 7.1v>= 11.0.0, < 11.0.72026-06-02
CVE-2026-40108 [HIGH] CWE-79 CVE-2026-40108: GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a techni
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.
nvd
CVE-2025-59935P4MEDIUMCVSS 6.5≥ 10.0.0, < 10.0.21v>= 10.0.0, < 10.0.212025-12-16
CVE-2025-59935 [MEDIUM] CWE-79 CVE-2025-59935: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.
nvd
CVE-2016-7507P4HIGHCVSS 8.0v0.90.42017-07-19
CVE-2016-7507 [HIGH] CWE-352 CVE-2016-7507: Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers
Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.
nvd
CVE-2019-13240P4MEDIUMCVSS 5.9fixed in 9.4.12019-07-10
CVE-2019-13240 [MEDIUM] CWE-640 CVE-2019-13240: An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is pos
An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.
nvd
CVE-2024-11955P4MEDIUMCVSS 6.1≥ 0.85, < 10.0.18v10.0.0+17 more2025-02-25
CVE-2024-11955 [MEDIUM] CWE-601 CVE-2024-11955: A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by th
A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to vers
nvd
CVE-2025-52897P4MEDIUMCVSS 6.1≥ 9.1.0, < 10.0.19v>= 9.1.0, < 10.0.192025-07-30
CVE-2025-52897 [MEDIUM] CWE-80 CVE-2025-52897: GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unaut
GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19.
nvd