SB2026040798 - Multiple vulnerabilities in GLPI
Published: April 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-53112)
The vulnerability allows a remote user to remove specific resources.
The vulnerability exists due to improper access control in permission checks when handling requests to remove resources. A remote user can send a crafted request to remove specific resources.
2) Improper access control (CVE-ID: CVE-2025-53111)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in resource permission checks when handling requests for protected resources. A remote user can access resources without proper authorization to disclose sensitive information.
3) Improper access control (CVE-ID: CVE-2025-53113)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the external links feature when fetching information on items through external links. A remote privileged user can use the external links feature to access information on items they are not allowed to see to disclose sensitive information.
4) Authorization bypass through user-controlled key (CVE-ID: CVE-2025-53357)
The vulnerability allows a remote user to modify another user's reservations.
The vulnerability exists due to authorization bypass through user-controlled key in the reservations feature when handling reservation modification requests. A remote user can alter identifiers in a crafted request to modify another user's reservations.
5) Improper access control (CVE-ID: CVE-2025-53008)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in mail receiver credentials handling when processing a malicious payload. A remote user can use a malicious payload to disclose sensitive information.
6) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-52897)
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of script-related html tags in a web page in the planning feature when handling a malicious link. A remote attacker can send a specially crafted link to execute arbitrary script in the victim's browser.
User interaction is required to open the crafted link.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-52567)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in RSS feeds and external calendar handling in planning when processing user-supplied feed or calendar URLs. A remote user can supply a crafted URL to disclose sensitive information.
The issue is blind in nature and affects usage of RSS feeds or external calendar in planning.
8) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-27514)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of script-related html tags in a web page in the projects kanban when rendering stored content. A remote privileged user can inject a malicious payload to disclose sensitive information.
User interaction is required to trigger the stored payload.
9) Improper access control (CVE-ID: CVE-2025-53105)
The vulnerability allows a remote user to modify the rules execution order.
The vulnerability exists due to improper access control in the rules management functionality when handling requests to update rule ordering. A remote user can send a crafted request to modify the rules execution order.
Remediation
Install update from vendor's website.
References
- https://github.com/glpi-project/glpi/security/advisories/GHSA-rp7w-6343-3m2r
- https://github.com/glpi-project/glpi/security/advisories/GHSA-p665-mqcr-j96j
- https://github.com/advisories/GHSA-p665-mqcr-j96j
- https://github.com/glpi-project/glpi/security/advisories/GHSA-r2mm-6499-4m8j
- https://github.com/glpi-project/glpi/security/advisories/GHSA-x9mj-822q-6cf8
- https://github.com/advisories/GHSA-x9mj-822q-6cf8
- https://github.com/glpi-project/glpi/security/advisories/GHSA-52h8-76ph-4j9q
- https://github.com/glpi-project/glpi/security/advisories/GHSA-6whm-q2rp-prqm
- https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7
- https://github.com/glpi-project/glpi/security/advisories/GHSA-jh8j-gqxc-6gqj
- https://github.com/glpi-project/glpi/security/advisories/GHSA-334r-2682-95wc