CVE-2026-22821 – The mreporting GLPI plugin before version 1.9.4... (How to Fix)

Q: What is the severity of CVE-2026-22821?

CVE-2026-22821 has a CVSS score of 4.9 (MEDIUM). The mreporting GLPI plugin before version 1.9.4 contains a SQL injection vulnerability in date change functionality. This allows authenticated attackers to execute arbitrary SQL commands on the database. Organizations using vulnerable versions of this plugin are affected.

📋 TL;DR

The mreporting GLPI plugin before version 1.9.4 contains a SQL injection vulnerability in date change functionality. This allows authenticated attackers to execute arbitrary SQL commands on the database. Organizations using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

mreporting GLPI plugin

Versions: All versions prior to 1.9.4

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the GLPI interface with permissions to use mreporting functionality.

📦 What is this software?

More Reporting by Glpi Project

View all CVEs affecting More Reporting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection chaining.

🟠

Likely Case

Unauthorized data access, privilege escalation, or data manipulation within the GLPI database.

🟢

If Mitigated

Limited impact due to proper input validation and database permissions restricting damage scope.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are commonly exploited, but this requires authenticated access to the GLPI interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.4

Vendor Advisory: https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8

Restart Required: No

Instructions:

1. Backup your GLPI installation and database. 2. Update the mreporting plugin to version 1.9.4 or later via the GLPI plugin interface or manual installation. 3. Verify the update was successful by checking the plugin version.

🔧 Temporary Workarounds

Disable mreporting plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to GLPI Setup > Plugins > Disable mreporting

Restrict user permissions

all

Limit access to mreporting functionality to only essential users

Adjust user profiles in GLPI to remove mreporting access

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict database user permissions to minimum required for application functionality

🔍 How to Verify

Check if Vulnerable:

Check mreporting plugin version in GLPI: Setup > Plugins > mreporting

Check Version:

Check GLPI interface: Setup > Plugins > mreporting shows version 1.9.4+

Verify Fix Applied:

Confirm mreporting plugin version is 1.9.4 or higher in GLPI plugin management

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by mreporting access
Unexpected database errors in application logs

Network Indicators:

Unusual SQL patterns in HTTP POST requests to mreporting endpoints

SIEM Query:

source="glpi_logs" AND ("mreporting" AND ("SQL" OR "database error" OR "syntax error"))

📊 Metadata

CVE ID: CVE-2026-22821

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.02% exploit probability (5.9th percentile)

Published: February 12, 2026

Last Updated: February 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22821, you might also want to check these: