Main Vulnerability Database Vulnerabilities #VU124954

#VU124954 SQL injection in GLPI - CVE-2026-29047

Published: April 6, 2026

Vulnerability identifier: #VU124954

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-29047

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GLPI

Software vendor:
glpi-project

Description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to sql injection in the logs export feature when processing log export requests. A remote privileged user can send a specially crafted log export request to execute arbitrary SQL commands.

Authentication with high privileges is required. The issue affects GLPI versions 10.0.0 and later before 10.0.24 and 11.0.6.

Remediation

Install security update from vendor's website.

External links

https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr

#VU124954 SQL injection in GLPI - CVE-2026-29047

Description

Remediation

External links

Please verify you're human