Main Vulnerability Database Vulnerabilities #VU124954

SQL injection in GLPI - CVE-2026-29047

Published: April 6, 2026

Vulnerability identifier: #VU124954

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-29047

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: glpi-project

Affected software:
GLPI

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to sql injection in the logs export feature when processing log export requests. A remote privileged user can send a specially crafted log export request to execute arbitrary SQL commands.

Authentication with high privileges is required. The issue affects GLPI versions 10.0.0 and later before 10.0.24 and 11.0.6.

How to mitigate CVE-2026-29047

Install security update from vendor's website.

Sources

https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr

SQL injection in GLPI - CVE-2026-29047

Detailed vulnerability description

How to mitigate CVE-2026-29047

Sources

Please verify you're human