SB20260406118 - Multiple vulnerabilities in GLPI

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2026-25932)

The vulnerability allows a remote user to execute arbitrary script code in the context of the application.

The vulnerability exists due to improper encoding or escaping of output in supplier fields when handling user-supplied supplier data. A remote privileged user can store an XSS payload in supplier fields to execute arbitrary script code in the context of the application.

2) SQL injection (CVE-ID: CVE-2026-26263)

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the Search engine when processing search requests. A remote attacker can send specially crafted search input to execute arbitrary SQL commands.

The issue is a time-based blind SQL injection.

3) Stored cross-site scripting (CVE-ID: CVE-2026-26027)

The vulnerability allows a remote attacker to execute arbitrary script in a user's browser.

The vulnerability exists due to cross-site scripting in the inventory endpoint when handling user-supplied inventory data. A remote attacker can submit a specially crafted payload to execute arbitrary script in a user's browser.

4) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2026-26026)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in a template engine in the template engine when processing administrator-controlled template input. A remote privileged user can inject crafted template expressions to execute arbitrary code.

High privileges are required.

5) SQL injection (CVE-ID: CVE-2026-29047)

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to sql injection in the logs export feature when processing log export requests. A remote privileged user can send a specially crafted log export request to execute arbitrary SQL commands.

Authentication with high privileges is required. The issue affects GLPI versions 10.0.0 and later before 10.0.24 and 11.0.6.

Remediation

Install update from vendor's website.

References

• https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh
• https://github.com/advisories/GHSA-m627-945g-x7xh
• https://github.com/glpi-project/glpi/security/advisories/GHSA-346p-qj3v-9rxj
• https://github.com/advisories/GHSA-346p-qj3v-9rxj
• https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp
• https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h
• https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr