
CVE-2025-53357 – GLPI permits reservation modification by unauthorized users
https://notcve.org/view.php?id=CVE-2025-53357
30 Jul 2025 — GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-x9mj-822q-6cf8 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2025-53113 – GLPI technicians can access unauthorized information through external links
https://notcve.org/view.php?id=CVE-2025-53113
30 Jul 2025 — GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-r2mm-6499-4m8j • CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVE-2025-53112 – GLPI's incomprehensive permission checks can lead to data removal from allowed users
https://notcve.org/view.php?id=CVE-2025-53112
30 Jul 2025 — GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-rp7w-6343-3m2r • CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVE-2025-53111 – GLPI exposes data to non-allowed users
https://notcve.org/view.php?id=CVE-2025-53111
30 Jul 2025 — GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-p665-mqcr-j96j • CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVE-2025-53008 – GLPI's MailCollector Receiver is vulnerable to credential exfiltration
https://notcve.org/view.php?id=CVE-2025-53008
30 Jul 2025 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-52h8-76ph-4j9q • CWE-522: Insufficiently Protected Credentials •

CVE-2025-52897 – GLPI is vulnerable to XSS and open redirection attacks through planning feature
https://notcve.org/view.php?id=CVE-2025-52897
30 Jul 2025 — GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-6whm-q2rp-prqm • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVE-2025-52567 – GLPI has overly permissive URL verification
https://notcve.org/view.php?id=CVE-2025-52567
30 Jul 2025 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7 • CWE-918: Server-Side Request Forgery (SSRF) •

CVE-2025-27514 – GLPI is susceptible to Stored XSS attack through project's kanban
https://notcve.org/view.php?id=CVE-2025-27514
29 Jul 2025 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-jh8j-gqxc-6gqj • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVE-2025-24801 – GLPI allows authenticated remote code execution
https://notcve.org/view.php?id=CVE-2025-24801
18 Mar 2025 — GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18. • https://github.com/r1beirin/CVE-2025-24801 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-24799 – GLPI allows unauthenticated SQL injection through the inventory endpoint
https://notcve.org/view.php?id=CVE-2025-24799
18 Mar 2025 — GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18. GLPI suffers from an unauthenticated remote SQL injection vulnerability. This issue is fixed in version 10.0.18. • https://packetstorm.news/files/id/190526 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •