CVE-2026-11321 in DataInjection Plugininfo

Summary

by MITRE • 07/10/2026

The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability exists within the DataInjection plugin for GLPI version 2.15.6 and GLPI 11 builds, representing a critical security flaw that enables authenticated SQL injection attacks through improper input handling during CSV import operations. This issue stems from the plugin's failure to properly sanitize or parameterize user-supplied data before incorporating it into SQL queries, creating an exploitable pathway for malicious actors who possess legitimate access credentials. The vulnerability specifically manifests when users import CSV files containing mapped field values that are directly concatenated into database queries without appropriate escaping or parameterization mechanisms.

The technical implementation of this flaw allows attackers to inject malicious SQL constructs through seemingly innocuous CSV fields such as Serial Number, which are commonly used in inventory management systems. When these fields contain specially crafted payloads including time-based functions like SLEEP(), the plugin executes these expressions within the context of the database query, enabling time-based blind SQL injection techniques. This method of exploitation is particularly dangerous because it allows attackers to extract information from the database through timing delays rather than direct output manipulation, making detection more challenging and the attack more stealthy.

The operational impact of this vulnerability extends beyond simple data extraction, as authenticated users with access to the Data Injection feature can potentially escalate their privileges within the system or gain unauthorized access to sensitive information stored in the backend database. The attack vector requires only legitimate user credentials, making it particularly concerning for organizations where privilege escalation could lead to broader system compromise. This vulnerability directly maps to CWE-89 which identifies improper neutralization of special elements used in SQL commands, and aligns with ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing via social media, as the attack relies on legitimate user access to execute malicious payloads within the system.

Organizations should immediately implement mitigations including patching the DataInjection plugin to version 2.15.7 or later, which addresses this specific vulnerability through proper input sanitization and parameterized query execution. System administrators should also consider implementing network segmentation to limit access to the Data Injection feature to only authorized personnel, while monitoring for unusual import patterns that might indicate exploitation attempts. The fix should incorporate proper prepared statements or parameterized queries to prevent any user-supplied data from being interpreted as SQL commands, ensuring that all CSV field values are properly escaped or validated before database insertion. Additionally, organizations should conduct regular security assessments of their GLPI installations and plugin configurations to identify similar vulnerabilities that might exist in other components of their IT infrastructure.

The vulnerability demonstrates the critical importance of input validation and parameterized queries in preventing SQL injection attacks, particularly within enterprise systems where multiple users may have varying levels of access. Organizations relying on GLPI for inventory management and system monitoring should prioritize immediate remediation efforts to protect against potential exploitation, as the combination of authenticated access and blind SQL injection techniques provides attackers with significant opportunities to extract sensitive information or compromise system integrity without detection.

Responsible

VulnCheck

Reservation

06/04/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!