CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27147 – GLPI Inventory plugin has Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2025-27147
25 Mar 2025 — The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability. • https://github.com/glpi-project/glpi-inventory-plugin/commit/aaeb26d98d07019375c25b56e60fffc195553545 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26626 – GLPI Inventory Plugin vulnerable to reflective Cross-site Scripting
https://notcve.org/view.php?id=CVE-2025-26626
14 Mar 2025 — The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue. • https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.0/CHANGELOG.md#150---2025-02-25 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •