Multiple vulnerabilities in GLPI - RCE, SQL injection, XSS
Summary
CERT-FR issued a security advisory alerting organizations to multiple critical vulnerabilities in GLPI, an IT asset management and helpdesk software. The vulnerabilities affect GLPI versions 11.0.x prior to 11.0.6 and versions prior to 10.0.24, enabling remote code execution, SQL injection, and cross-site scripting attacks. Five CVEs are referenced: CVE-2026-25932, CVE-2026-26026, CVE-2026-26027, CVE-2026-26263, and CVE-2026-29047. Organizations using affected GLPI versions should apply vendor-provided patches immediately.
What changed
CERT-FR published a security advisory documenting five distinct vulnerabilities in GLPI software: remote code execution (RCE), multiple SQL injection (SQLi) flaws, and cross-site scripting (XSS) vulnerabilities. These affect two major version branches still widely deployed in enterprise environments. The advisory references GitHub Security Advisories from the GLPI project dated April 3, 2026, indicating the vendor has already released patches for these issues.
Organizations running GLPI for IT service management, asset tracking, or helpdesk functions face immediate risk of system compromise, data exfiltration, or client-side attacks against users. Security teams should prioritize patching, particularly given that RCE vulnerabilities can allow attackers to gain full control of affected servers without user interaction beyond network access.
What to do next
- Immediately identify all GLPI installations within your organization and verify the version number
- Upgrade GLPI to version 11.0.6 or later (for 11.0.x branch) or 10.0.24 or later (for 10.0.x branch)
- If patching cannot be performed immediately, implement compensating controls such as network segmentation and enhanced monitoring for the affected systems
Archived snapshot
Apr 8, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Premier Ministre S.G.D.S.N
Agence nationale
de la sécurité des
systèmes d'information
Paris, le 07 avril 2026 N° CERTFR-2026-AVI-0401 Affaire suivie par: CERT-FR
Avis du CERT-FR
Objet: Multiples vulnérabilités dans GLPI
Gestion du document
| Référence | CERTFR-2026-AVI-0401 |
| Titre | Multiples vulnérabilités dans GLPI |
| Date de la première version | 07 avril 2026 |
| Date de la dernière version | 07 avril 2026 |
| Source(s) | Bulletin de sécurité GLPI GHSA-2c98-648q-h27h du 03 avril 2026
Bulletin de sécurité GLPI GHSA-346p-qj3v-9rxj du 03 avril 2026
Bulletin de sécurité GLPI GHSA-3m49-qf92-vccr du 03 avril 2026
Bulletin de sécurité GLPI GHSA-chch-wcm9-f9cp du 03 avril 2026
Bulletin de sécurité GLPI GHSA-m627-945g-x7xh du 03 avril 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.
Risques
- Exécution de code arbitraire à distance
- Injection de code indirecte à distance (XSS)
- Injection SQL (SQLi)
Systèmes affectés
- GLPI versions 11.0.x antérieures à 11.0.6
- GLPI versions antérieures à 10.0.24
Résumé
De multiples vulnérabilités ont été découvertes dans GLPI. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection SQL (SQLi) et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Documentation
- Bulletin de sécurité GLPI GHSA-2c98-648q-h27h du 03 avril 2026
- https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h
- Bulletin de sécurité GLPI GHSA-346p-qj3v-9rxj du 03 avril 2026
- https://github.com/glpi-project/glpi/security/advisories/GHSA-346p-qj3v-9rxj
- Bulletin de sécurité GLPI GHSA-3m49-qf92-vccr du 03 avril 2026
- https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr
- Bulletin de sécurité GLPI GHSA-chch-wcm9-f9cp du 03 avril 2026
- https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp
- Bulletin de sécurité GLPI GHSA-m627-945g-x7xh du 03 avril 2026
- https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh
- Référence CVE CVE-2026-25932
- https://www.cve.org/CVERecord?id=CVE-2026-25932
- Référence CVE CVE-2026-26026
- https://www.cve.org/CVERecord?id=CVE-2026-26026
- Référence CVE CVE-2026-26027
- https://www.cve.org/CVERecord?id=CVE-2026-26027
- Référence CVE CVE-2026-26263
- https://www.cve.org/CVERecord?id=CVE-2026-26263
- Référence CVE CVE-2026-29047
- https://www.cve.org/CVERecord?id=CVE-2026-29047
Gestion détaillée du document
- le 07 avril 2026 Version initiale
Related changes
Get daily alerts for CERT-FR Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-FR.
The plain-English summary, classification, and "what to do next" steps are AI-generated from the original text. Cite the source document, not the AI analysis.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-FR Security Advisories publishes new changes.