📦 Glpi
by Glpi Project
🔍 What is Glpi?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
This SQL injection vulnerability in GLPI allows administrator users to execute arbitrary SQL commands through rules configuration forms. Attackers with admin access can potentially read, modify, or de...
This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized directories through unverified object instantiation. If exploited, this can lead to remote code execu...
This SQL injection vulnerability in GLPI allows authenticated users with statistics or reports access rights to execute arbitrary SQL queries. Attackers can extract all database data and potentially w...
CVE-2022-31056 is a critical SQL injection vulnerability in GLPI's assistance forms (Ticket/Change/Problem) that allows attackers to execute arbitrary SQL commands. All GLPI users running affected ver...
This CVE describes a SQL injection vulnerability in the Ramo plugin for GLPI 9.4.6 that allows attackers to execute arbitrary SQL commands via the idu parameter. This affects all GLPI installations us...
CVE-2025-66417 is an unauthenticated SQL injection vulnerability in GLPI's inventory endpoint. Attackers can execute arbitrary SQL commands without credentials, potentially compromising the database. ...
This vulnerability allows unauthorized users to access documents attached to any item in GLPI (tickets, assets, etc.). If the public FAQ feature is enabled, even anonymous users can exploit this flaw....
This vulnerability allows authenticated GLPI users to upload and execute arbitrary PHP files on the server, leading to remote code execution. It affects GLPI installations before version 10.0.18. Any ...
This vulnerability allows authentication bypass in GLPI when using OauthIMAP plugin with Mail servers authentication. Anyone can connect using any username that already has Oauth authorization establi...
This vulnerability in GLPI allows authenticated users to delete any user account via a specific application endpoint. It affects GLPI versions 10.0.0 through 10.0.16. Any organization using vulnerable...
GLPI versions 9.1.0 through 10.0.16 contain an API vulnerability where authenticated technicians can escalate privileges to higher-level accounts. This allows attackers with existing technician access...
This vulnerability in GLPI allows authenticated users to take control of other user accounts with equal or lower privilege levels via API exploitation. It affects GLPI installations from version 9.3.0...
This vulnerability allows unauthenticated attackers to determine whether specific email addresses correspond to valid GLPI user accounts. It affects GLPI installations from version 0.80 through 10.0.1...
This SQL injection vulnerability in GLPI allows authenticated users to execute arbitrary SQL queries. An attacker could modify other user accounts to gain unauthorized access. All GLPI instances with ...
Authenticated technician users in GLPI can upload malicious PHP scripts and hijack the plugin loader to execute arbitrary code. This affects GLPI installations with technician user accounts that have ...
CVE-2024-29889 is a SQL injection vulnerability in GLPI's saved searches feature that allows authenticated users to modify other user accounts and potentially take control of them. This affects GLPI i...
CVE-2024-27096 is a SQL injection vulnerability in GLPI's search engine that allows authenticated users to extract sensitive data from the database. This affects GLPI installations before version 10.0...
CVE-2024-27756 is a CSV injection vulnerability in GLPI that allows attackers to embed malicious formulas in asset titles. When exported to CSV and opened in spreadsheet applications like Excel, these...
This vulnerability allows authenticated attackers to execute arbitrary code on GLPI servers running PHP 7.4 by exploiting the LDAP server configuration form to run malicious code uploaded as GLPI docu...
CVE-2023-42462 is a path traversal vulnerability in GLPI's document upload functionality that allows attackers to delete arbitrary files on the server. This affects all GLPI installations running vers...
This SQL injection vulnerability in GLPI's UI layout preferences management allows attackers to execute arbitrary SQL commands. Successful exploitation can lead to administrator account takeover, pote...
This vulnerability in GLPI allows API users with read-only access to user resources to steal other users' accounts by exploiting improper privilege management. It affects GLPI installations with API a...
This SQL injection vulnerability in GLPI allows attackers to execute arbitrary SQL commands through the Computer Virtual Machine form and inventory request features. All GLPI installations running ver...
This vulnerability in GLPI allows authenticated users (and in some cases unauthenticated users) to bypass access controls and interact with, modify, or view dashboard data. It affects GLPI versions 9....
This vulnerability allows unauthenticated attackers to perform SQL injection attacks against GLPI's inventory endpoint. All GLPI installations running versions 10.0.0 through 10.0.7 are affected, and ...
This vulnerability allows a user with Technician profile in GLPI to generate a personal token for a Super-Admin account, enabling privilege escalation to administrative access. It affects GLPI version...
This vulnerability allows authenticated GLPI users to modify any user's email address, enabling account takeover through password reset functionality and potential exposure of sensitive notification d...
CVE-2022-24867 is an information disclosure vulnerability in GLPI where the LDAP password is exposed in rendered page source code due to insufficient filtering of configuration variables passed to Jav...
This vulnerability in GLPI allows authenticated users to create tickets on behalf of other users via the self-service interface, even when delegatee systems are disabled. This affects GLPI installatio...
This vulnerability allows authenticated users in GLPI (an IT management software) to perform SQL injection attacks. It affects all GLPI installations running versions 0.85 through 10.0.22. Attackers c...
GLPI administrators can exploit a Server-Side Request Forgery (SSRF) vulnerability through the Webhook feature, allowing them to make unauthorized requests to internal systems. This affects GLPI versi...
This vulnerability in GLPI allows session hijacking when remote authentication via SSO is used. An attacker on the same machine can steal another user's active GLPI session. This affects GLPI installa...
CVE-2023-53943 is a username enumeration vulnerability in GLPI's password recovery mechanism that allows attackers to determine valid user email addresses by analyzing response differences. This affec...
This vulnerability allows unauthorized users with API access to read all knowledge base entries in GLPI software. It affects GLPI installations from version 9.1.0 up to but not including 10.0.21. Orga...
This vulnerability in GLPI allows authenticated users to modify other users' reservations, potentially disrupting IT asset management and service desk operations. All GLPI installations running versio...
CVE-2025-53112 is an improper access control vulnerability in GLPI that allows unauthorized users to delete specific resources. This affects GLPI installations running versions 9.1.0 through 10.0.18. ...
GLPI versions 9.1.0 through 10.0.18 contain a vulnerability in the planning feature that allows unauthenticated attackers to craft malicious links for phishing attacks. This affects all GLPI instances...
GLPI versions 9.5.0 through 10.0.18 contain a stored cross-site scripting (XSS) vulnerability in the project kanban feature. Authenticated technicians can inject malicious scripts that execute when ot...
CVE-2025-25192 allows low-privileged users in GLPI to enable debug mode, potentially exposing sensitive system information. This affects GLPI installations before version 10.0.18. The vulnerability co...
This CVE describes an open redirect vulnerability in GLPI versions up to 10.0.17. Attackers can manipulate the 'redirect' parameter in /index.php to redirect users to malicious websites. All GLPI inst...
GLPI versions before 10.0.18 contain a reflected cross-site scripting (XSS) vulnerability on the search page. Attackers can craft malicious links to execute arbitrary JavaScript in victims' browsers. ...
This vulnerability in GLPI allows unauthorized users to download documents via the API without proper authentication. It affects GLPI installations running versions 9.2.0 through 10.0.15. Users with a...
This vulnerability allows authenticated GLPI users to bypass access controls and create private RSS feeds attached to other user accounts. Attackers can inject malicious JavaScript payloads that trigg...
This SQL injection vulnerability in GLPI allows authenticated users to execute arbitrary SQL commands by manipulating their preference settings. The attack requires valid user credentials but can lead...
CVE-2024-43417 is a reflected cross-site scripting (XSS) vulnerability in GLPI's Software form that allows unauthenticated attackers to inject malicious scripts. When a GLPI technician clicks a specia...