SB20260406118 - Multiple vulnerabilities in GLPI
Published: April 6, 2026 Updated: April 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Stored cross-site scripting (CVE-ID: CVE-2026-25932)
The vulnerability allows a remote user to execute arbitrary script code in the context of the application.
The vulnerability exists due to improper encoding or escaping of output in supplier fields when handling user-supplied supplier data. A remote privileged user can store an XSS payload in supplier fields to execute arbitrary script code in the context of the application.
2) SQL injection (CVE-ID: CVE-2026-26263)
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the Search engine when processing search requests. A remote attacker can send specially crafted search input to execute arbitrary SQL commands.
The issue is a time-based blind SQL injection.
3) Stored cross-site scripting (CVE-ID: CVE-2026-26027)
The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.
The vulnerability exists due to cross-site scripting in the inventory endpoint when handling user-supplied inventory data. A remote attacker can submit a specially crafted payload to execute arbitrary script in a user's browser.
4) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2026-26026)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in a template engine in the template engine when processing administrator-controlled template input. A remote privileged user can inject crafted template expressions to execute arbitrary code.
High privileges are required.
5) SQL injection (CVE-ID: CVE-2026-29047)
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to sql injection in the logs export feature when processing log export requests. A remote privileged user can send a specially crafted log export request to execute arbitrary SQL commands.
Authentication with high privileges is required. The issue affects GLPI versions 10.0.0 and later before 10.0.24 and 11.0.6.
6) Improper Authentication (CVE-ID: CVE-2026-25937)
The vulnerability allows a remote user to bypass multi-factor authentication and compromise a user account.
The vulnerability exists due to improper authentication in the multi-factor authentication mechanism when processing login requests. A remote privileged user can use known user credentials to bypass multi-factor authentication and compromise a user account.
7) SQL injection (CVE-ID: CVE-2026-25936)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements used in an sql command in the SQL query handling functionality when processing user-supplied input. A remote user can send crafted input to disclose sensitive information.
Remediation
Install update from vendor's website.
References
- https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh
- https://github.com/advisories/GHSA-m627-945g-x7xh
- https://github.com/glpi-project/glpi/security/advisories/GHSA-346p-qj3v-9rxj
- https://github.com/advisories/GHSA-346p-qj3v-9rxj
- https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp
- https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h
- https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr
- https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm
- https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759
- https://github.com/advisories/GHSA-qw3x-7vv2-7759