CVE-2021-30144

The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be used...

CVE-2021-39210

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie when a user uses the "remember me" feature is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue ...

CVE-2021-39211

GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file ajax/telemetry.php, which is not needed for usual...

CVE-2021-39190

The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM version 1802 to GLPI. In versions prior to 2.3.0, the Configuration page is publicly accessible in read-only mode. This issue is patched in version 2.3.0. No known workarounds exist...

CVE-2020-11062

In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6...

CVE-2019-10477

The FusionInventory plugin before 1.4 for GLPI 9.3.x and before 1.1 for GLPI 9.4.x mishandles sendXML actions...

CVE-2019-10231

Teclib GLPI before 9.4.1.1 is affected by a PHP type juggling vulnerability allowing bypass of authentication. This occurs in Auth::checkPassword inc/auth.class.php...

CVE-2019-10232

Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlocktasks.php...

CVE-2019-12530

Incorrect access control was discovered in the stdonato Dashboard plugin through 0.9.7 for GLPI, affecting df.php, issue.php, load.php, mem.php, traf.php, and uptime.php in front/sh...

com.airbus-cyber-security.graylog:graylog-plugin-aggregation-count (>=1.1.0 <=4.1.1), com.airbus-cyber-security.graylog:graylog-plugin-alert-wizard (>=1.0.0 <=5.2.1) +12 more potentially affected by CVE-2025-46827 via org.graylog2:graylog2-server (>=1.0.0-beta.3 <=6.0.13)

org.graylog2:graylog2-server MAVEN version =1.0.0-beta.3, =1.1.0, =1.0.0, =1.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1, =2.2.0, =1.1.0, =2.2.0, =2.2.0, =1.0.3, =1.0.0, =1.2.0, =1.3.4 Source cves: CVE-2025-46827 Source advisory: OSV:GHSA-76VF-MPMX-777J...

Exploit for Unrestricted Upload of File with Dangerous Type in Glpi-Project Glpi

CVE-2025-24801 PoC for GLPI RCE This repository contains a pr...

CVE-2022-39181

GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting RXSS. Type 1: Reflected XSS or Non-Persistent - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content t...

Exploit for Unrestricted Upload of File with Dangerous Type in Glpi-Project Glpi

CVE-2025-24801 This exploit uses CVE-2025-24801 to get Remote...

VulnCheck KEV: CVE-2025-24799

GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18...

Exploit for SQL Injection in Glpi-Project Glpi

Exploit-CVE-2025-24799 CVE-2025-24799 Exploit: GLPI - Unauthen...

The vulnerability of the GLPI system’s request, incident, and asset inventory management processes, related to the lack of measures taken to protect the website structure, allows attackers to carry out attacks using cross-site scripting (XSS).

The vulnerability of the GLPI system’s request, incident, and asset inventory management functions is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows attackers who operate remotely to carry out attacks using cross-site scripting XSS...

The vulnerability of the GLPI system for managing requests, incidents, and inventory of computer equipment, related to incorrect authentication, allows a perpetrator to bypass the authentication process.

The vulnerability of the GLPI system for requests, incidents, and inventory management is related to deficiencies in the authentication process. Exploiting this vulnerability allows a malicious actor to bypass the authentication process...

The vulnerability of the GLPI system for managing requests, incidents, and inventory of computer equipment, related to insufficient protection of operational data, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the GLPI system for requests, incidents, and inventory management is related to insufficient protection of operational data. Exploiting this vulnerability can allow unauthorized actors to gain unauthorized access to protected information...

ROS-20250403-15

Vulnerabilities in GLPI's computer hardware request, incident and inventory system are related to improper access control. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to confidential information...

ROS-20250402-04

Vulnerability of the GLPI system of requests, incidents and inventory of computer equipment is related to improperly restricting access to the "install/update.php" file. Exploitation of the vulnerability could allow An attacker acting remotely could gain access to confidential information A...