Glpi Project Security Vulnerabilities (CVEs)

The mreporting GLPI plugin before version 1.9.4 contains a SQL injection vulnerability in date change functionality. This allows authenticated attacke...

This vulnerability allows authenticated users in GLPI (an IT management software) to perform SQL injection attacks. It affects all GLPI installations ...

GLPI administrators can exploit a Server-Side Request Forgery (SSRF) vulnerability through the Webhook feature, allowing them to make unauthorized req...

This vulnerability in GLPI allows session hijacking when remote authentication via SSO is used. An attacker on the same machine can steal another user...

CVE-2025-66417 is an unauthenticated SQL injection vulnerability in GLPI's inventory endpoint. Attackers can execute arbitrary SQL commands without cr...

This vulnerability allows unauthorized users to access documents attached to any item in GLPI (tickets, assets, etc.). If the public FAQ feature is en...

CVE-2023-53943 is a username enumeration vulnerability in GLPI's password recovery mechanism that allows attackers to determine valid user email addre...

This vulnerability allows unauthorized users with API access to read all knowledge base entries in GLPI software. It affects GLPI installations from v...

This vulnerability in GLPI allows authenticated users to modify other users' reservations, potentially disrupting IT asset management and service desk...

CVE-2025-53112 is an improper access control vulnerability in GLPI that allows unauthorized users to delete specific resources. This affects GLPI inst...

GLPI versions 9.1.0 through 10.0.18 contain a vulnerability in the planning feature that allows unauthenticated attackers to craft malicious links for...

GLPI versions 9.5.0 through 10.0.18 contain a stored cross-site scripting (XSS) vulnerability in the project kanban feature. Authenticated technicians...

This vulnerability allows authenticated GLPI users to upload and execute arbitrary PHP files on the server, leading to remote code execution. It affec...

This vulnerability allows authentication bypass in GLPI when using OauthIMAP plugin with Mail servers authentication. Anyone can connect using any use...

CVE-2025-25192 allows low-privileged users in GLPI to enable debug mode, potentially exposing sensitive system information. This affects GLPI installa...

This CVE describes an open redirect vulnerability in GLPI versions up to 10.0.17. Attackers can manipulate the 'redirect' parameter in /index.php to r...

GLPI versions before 10.0.18 contain a reflected cross-site scripting (XSS) vulnerability on the search page. Attackers can craft malicious links to e...

This vulnerability in GLPI allows authenticated users to delete any user account via a specific application endpoint. It affects GLPI versions 10.0.0 ...

GLPI versions 9.1.0 through 10.0.16 contain an API vulnerability where authenticated technicians can escalate privileges to higher-level accounts. Thi...

This vulnerability in GLPI allows authenticated users to take control of other user accounts with equal or lower privilege levels via API exploitation...

This vulnerability allows unauthenticated attackers to determine whether specific email addresses correspond to valid GLPI user accounts. It affects G...

This vulnerability in GLPI allows unauthorized users to download documents via the API without proper authentication. It affects GLPI installations ru...

This vulnerability allows authenticated GLPI users to bypass access controls and create private RSS feeds attached to other user accounts. Attackers c...

This SQL injection vulnerability in GLPI allows authenticated users to execute arbitrary SQL commands by manipulating their preference settings. The a...

CVE-2024-43417 is a reflected cross-site scripting (XSS) vulnerability in GLPI's Software form that allows unauthenticated attackers to inject malicio...

This SQL injection vulnerability in GLPI allows authenticated users to execute arbitrary SQL queries. An attacker could modify other user accounts to ...

Authenticated technician users in GLPI can upload malicious PHP scripts and hijack the plugin loader to execute arbitrary code. This affects GLPI inst...

CVE-2024-29889 is a SQL injection vulnerability in GLPI's saved searches feature that allows authenticated users to modify other user accounts and pot...

This vulnerability in GLPI Agent on Windows allows local users to cause denial of service by modifying the GLPI server URL or disabling the service. I...

CVE-2024-27096 is a SQL injection vulnerability in GLPI's search engine that allows authenticated users to extract sensitive data from the database. T...

CVE-2024-27756 is a CSV injection vulnerability in GLPI that allows attackers to embed malicious formulas in asset titles. When exported to CSV and op...

This vulnerability allows authenticated attackers to execute arbitrary code on GLPI servers running PHP 7.4 by exploiting the LDAP server configuratio...

CVE-2023-42462 is a path traversal vulnerability in GLPI's document upload functionality that allows attackers to delete arbitrary files on the server...

This SQL injection vulnerability in GLPI's UI layout preferences management allows attackers to execute arbitrary SQL commands. Successful exploitatio...

This vulnerability in GLPI allows API users with read-only access to user resources to steal other users' accounts by exploiting improper privilege ma...

This SQL injection vulnerability in GLPI allows attackers to execute arbitrary SQL commands through the Computer Virtual Machine form and inventory re...

This vulnerability in GLPI allows authenticated users (and in some cases unauthenticated users) to bypass access controls and interact with, modify, o...

This vulnerability allows unauthenticated attackers to perform SQL injection attacks against GLPI's inventory endpoint. All GLPI installations running...

CVE-2023-34254 is a command injection vulnerability in GLPI Agent that allows authenticated remote administrators to execute arbitrary commands on Uni...

CVE-2022-34126 is a directory traversal vulnerability in the Activity plugin for GLPI that allows attackers to read local files on the server. This af...

This vulnerability in the Order GLPI plugin allows authenticated users with standard interface access to execute arbitrary system commands via a craft...

This vulnerability allows a user with Technician profile in GLPI to generate a personal token for a Super-Admin account, enabling privilege escalation...

This vulnerability allows authenticated GLPI users to modify any user's email address, enabling account takeover through password reset functionality ...

CVE-2022-24867 is an information disclosure vulnerability in GLPI where the LDAP password is exposed in rendered page source code due to insufficient ...