CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-22044 – GLPI is Vulnerable to Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2026-22044
04 Feb 2026 — GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. • https://github.com/glpi-project/glpi/releases/tag/10.0.23 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23624 – GLPI is vulnerable to session stealing on externally authenticated user change
https://notcve.org/view.php?id=CVE-2026-23624
04 Feb 2026 — GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions . • https://github.com/glpi-project/glpi/releases/tag/10.0.23 • CWE-384: Session Fixation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2025-64516 – GLPI incorrectly authorizes access to documents
https://notcve.org/view.php?id=CVE-2025-64516
15 Jan 2026 — GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3. • https://packetstorm.news/files/id/215752 • CWE-284: Improper Access Control CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64520 – GLPI vulnerable to unauthorized access to restricted Knowledge Base items through the API
https://notcve.org/view.php?id=CVE-2025-64520
16 Dec 2025 — GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch. • https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59935 – GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page
https://notcve.org/view.php?id=CVE-2025-59935
16 Dec 2025 — GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch. • https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53105 – GLPI permits unauthorized rules execution order
https://notcve.org/view.php?id=CVE-2025-53105
27 Aug 2025 — GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19. GLPI, acrónimo de Gestionnaire Libre de Parc Informatique, es un paquete de software gratuito de gestión de activos y TI que ofrece funciones ... • https://github.com/glpi-project/glpi/releases/tag/10.0.19 • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53357 – GLPI permits reservation modification by unauthorized users
https://notcve.org/view.php?id=CVE-2025-53357
30 Jul 2025 — GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19. GLPI, acrónimo de Gestionnaire Libre de Parc Informatique, es un paquete de software gratuito para la gestión de activos y TI que ofrece funciones de ITIL Service Desk, seguimiento de ... • https://github.com/glpi-project/glpi/security/advisories/GHSA-x9mj-822q-6cf8 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53113 – GLPI technicians can access unauthorized information through external links
https://notcve.org/view.php?id=CVE-2025-53113
30 Jul 2025 — GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19. GLPI, acrónimo de Gestionnaire Libre de Parc Informatique, es un paquete de software gratuito para la gestión de activos y TI que of... • https://github.com/glpi-project/glpi/security/advisories/GHSA-r2mm-6499-4m8j • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53112 – GLPI's incomprehensive permission checks can lead to data removal from allowed users
https://notcve.org/view.php?id=CVE-2025-53112
30 Jul 2025 — GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19. GLPI es un paquete gratuito de software de gestión de activos y TI que ofrece funciones de ITIL Service Desk, seguimiento de licencias y auditoría de software. En las versiones 9.1.0 a 10.0.18, la falta de compro... • https://github.com/glpi-project/glpi/security/advisories/GHSA-rp7w-6343-3m2r • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53111 – GLPI exposes data to non-allowed users
https://notcve.org/view.php?id=CVE-2025-53111
30 Jul 2025 — GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19. GLPI es un paquete gratuito de software de gestión de activos y TI. En las versiones 0.80 a 10.0.18, la falta de verificación de permisos puede provocar acceso no autorizado a algunos recursos. • https://github.com/glpi-project/glpi/security/advisories/GHSA-p665-mqcr-j96j • CWE-284: Improper Access Control CWE-862: Missing Authorization •