CVE-2026-25936 in GLPI
Summary
by MITRE • 03/17/2026
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-25936 affects GLPI, a widely-used open-source asset and IT management software package that organizations rely on for maintaining inventory, tracking incidents, and managing IT infrastructure. This security flaw specifically impacts versions 11.0.0 through 11.0.5, where authenticated users can exploit a SQL injection vulnerability to execute arbitrary database commands. The issue represents a critical weakness in the application's input validation mechanisms, as it allows an attacker with valid credentials to manipulate database queries through crafted input parameters. The vulnerability exists within the application's handling of user-supplied data that is directly incorporated into SQL statements without proper sanitization or parameterization. This flaw enables an authenticated attacker to potentially extract sensitive data, modify database contents, or even escalate privileges within the system. The vulnerability is classified under CWE-89, which specifically addresses SQL injection flaws, and aligns with ATT&CK technique T1071.005 for application layer protocol manipulation. The exploitation of this vulnerability could result in unauthorized access to critical organizational data including user credentials, asset information, and IT infrastructure details that GLPI typically manages. Organizations using affected versions face significant risk as the vulnerability requires only authenticated access, meaning that any user with valid login credentials could potentially exploit this weakness. The fix implemented in version 11.0.6 addresses the root cause by properly sanitizing user inputs and implementing secure database query construction practices. This remediation aligns with industry best practices for preventing SQL injection attacks, including the use of prepared statements and parameterized queries. The vulnerability demonstrates the importance of input validation and proper database access controls in web applications, particularly those handling sensitive organizational data. Organizations should prioritize immediate upgrade to version 11.0.6 or later to mitigate this risk, as the vulnerability could enable attackers to gain deeper access to IT management systems and potentially compromise the entire infrastructure that relies on GLPI for asset tracking and incident management. The impact extends beyond simple data theft, as successful exploitation could lead to service disruption, data corruption, or even lateral movement within network environments where GLPI is deployed.