Glpi-Project Glpi vulnerabilities
202 known vulnerabilities affecting glpi-project/glpi.
Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3
Vulnerabilities
Page 7 of 11
CVE-2022-36112P4MEDIUMCVSS 5.8fixed in 10.0.32022-09-14
CVE-2022-36112 [MEDIUM] CWE-918 CVE-2022-36112: GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Softwa
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GL
nvd
CVE-2023-28633P4MEDIUMCVSS 5.4≥ 0.84, < 9.5.13≥ 10.0.0, < 10.0.7+2 more2023-04-05
CVE-2023-28633 [MEDIUM] CWE-918 CVE-2023-28633: GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and
nvd
CVE-2020-5248P4MEDIUMCVSS 5.3fixed in 9.4.62020-05-12
CVE-2020-5248 [MEDIUM] CWE-798 CVE-2020-5248: GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not
nvd
CVE-2024-43416P4MEDIUMCVSS 5.3≥ 0.80, < 10.0.17v>= 0.80, < 10.0.172024-11-18
CVE-2024-43416 [MEDIUM] CWE-200 CVE-2024-43416: GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.
nvd
CVE-2023-28849P4MEDIUMCVSS 5.4≥ 10.0.0, < 10.0.7v>= 10.0.0, < 10.0.72023-04-05
CVE-2023-28849 [MEDIUM] CWE-79 CVE-2023-28849: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 conta
nvd
CVE-2025-53357P4MEDIUMCVSS 5.4≥ 0.78, < 10.0.19v>= 0.78, < 10.0.192025-07-30
CVE-2025-53357 [MEDIUM] CWE-639 CVE-2025-53357: GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management So
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.
nvd
CVE-2017-11183P4MEDIUMCVSS 4.9≤ 9.1.42017-07-28
CVE-2017-11183 [MEDIUM] CWE-20 CVE-2017-11183: front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary
front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter.
nvd
CVE-2023-53943P4MEDIUMCVSS 5.3v9.5.72025-12-18
CVE-2023-53943 [MEDIUM] CWE-203 CVE-2023-53943: GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism tha
GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.
nvd
CVE-2024-23645P4MEDIUMCVSS 6.1≥ 0.65, < 10.0.12v>= 0.65, < 10.0.122024-02-01
CVE-2024-23645 [MEDIUM] CWE-79 CVE-2024-23645: GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS
GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.
nvd
CVE-2026-26027P4MEDIUMCVSS 6.1≥ 11.0.0, < 11.0.6v>= 11.0.0, < 11.0.62026-04-06
CVE-2026-26027 [MEDIUM] CWE-79 CVE-2026-26027: GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenti
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
nvd
CVE-2012-1104P4MEDIUMCVSS 5.3≥ 0, < 0.84.3+dfsg.1-12019-12-05
CVE-2012-1104 [MEDIUM] CVE-2012-1104: A Security Bypass vulnerability exists in the phpCAS 1
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
osv
CVE-2023-28639P4MEDIUMCVSS 6.1≥ 0.85, < 9.5.13≥ 10.0.0, < 10.0.72023-04-05
CVE-2023-28639 [MEDIUM] CWE-79 CVE-2023-28639: GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.
nvd
CVE-2022-35945P4MEDIUMCVSS 6.1fixed in 10.0.3v>= 9.5.0, < 10.0.32022-09-14
CVE-2022-35945 [MEDIUM] CWE-79 CVE-2022-35945: GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Softwa
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Information associated to registration key are not properly escaped in registration key configuration page. They can be used to steal a GLPI administrator co
nvd
CVE-2023-34244P4MEDIUMCVSS 6.1≥ 9.4.0, < 10.0.8v>= 9.4.0, < 10.0.82023-07-05
CVE-2023-34244 [MEDIUM] CWE-79 CVE-2023-34244: GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to vers
GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.
nvd
CVE-2025-21627P4MEDIUMCVSS 6.1fixed in 10.0.182025-02-25
CVE-2025-21627 [MEDIUM] CWE-79 CVE-2025-21627: GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious l
GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.
nvd
CVE-2024-45610P4MEDIUMCVSS 6.1≥ 10.0.0, < 10.0.17v>= 10.0.0, < 10.0.172024-11-15
CVE-2024-45610 [MEDIUM] CWE-79 CVE-2024-45610: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.
nvd
CVE-2024-45609P4MEDIUMCVSS 6.1≥ 0.70, < 10.0.17v>= 0.70, < 10.0.172024-11-15
CVE-2024-45609 [MEDIUM] CWE-79 CVE-2024-45609: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.
nvd
CVE-2021-21255P4MEDIUMCVSS 5.7v9.5.3v= 9.5.32021-03-02
CVE-2021-21255 [MEDIUM] CWE-862 CVE-2021-21255: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.
nvd
CVE-2022-31068P4MEDIUMCVSS 5.3≥ 10.0.0, < 10.0.2v>=10.0.0, < 10.0.22022-06-28
CVE-2022-31068 [MEDIUM] CWE-200 CVE-2022-31068: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated. This issue has been addressed in version 10.0.2 and al
nvd
CVE-2023-41888P4MEDIUMCVSS 5.4≥ 10.0.8, < 10.0.10v>= 10.0.8, < 10.0.102023-09-27
CVE-2023-41888 [MEDIUM] CWE-22 CVE-2023-41888: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user
nvd