{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22044", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T22:30:38.720Z", "datePublished": "2026-02-04T17:15:39.205Z", "dateUpdated": "2026-02-04T19:27:43.406Z"}, "containers": {"cna": {"title": "GLPI is Vulnerable to Authenticated SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 0.85, < 10.0.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:15:39.205Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23."}], "source": {"advisory": "GHSA-569q-j526-w385", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:27:25.137739Z", "id": "CVE-2026-22044", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:27:43.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22044", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:27:25.137739Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:27:37.310Z"}}], "cna": {"title": "GLPI is Vulnerable to Authenticated SQL Injection", "source": {"advisory": "GHSA-569q-j526-w385", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 0.85, < 10.0.23"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23", "name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:15:39.205Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22044", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:27:43.406Z", "dateReserved": "2026-01-05T22:30:38.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T17:15:39.205Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD484FC7-BC66-4499-B835-378F634F8155", "versionEndExcluding": "10.0.23", "versionStartIncluding": "0.85", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23."}], "id": "CVE-2026-22044", "lastModified": "2026-02-06T21:19:53.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T18:16:08.580", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:23:22.203055+00:00", "value": {"mitigation_remediation": ["Upgrade GLPI to version 10.0.23 or later, which contains the patch for the SQL injection.", "If an upgrade cannot be performed immediately, restrict or suspend the use of privileged user accounts until the upgrade is completed.", "Enforce strong password policies and monitor for unusual database activity to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Authenticated SQL Injection"}, "threat_synthesis": {"affected_systems": "GLPI, the free asset and IT management platform, is affected from release 0.85 up to but not including 10.0.23. All installations of GLPI in this version range are vulnerable.", "description_and_impact": "The flaw is a classic authenticated SQL injection (CWE\u201189) affecting GLPI versions 0.85 through 10.0.22. A user who has legitimate credentials can inject arbitrary SQL commands into the application, enabling read, write, or delete operations on the underlying database. This compromises confidentiality of asset data and could provide a foothold for further malicious activity within the organization.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates medium severity. Because the exploitation requires authentication, the attack surface is limited to users who can log in to the GLPI instance. The EPSS score is less than 1\u202f%, implying a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need valid credentials and possibly access to the application\u2019s source to craft the malicious input."}}}}, "created": "2026-02-04T21:17:59.897998+00:00", "updated": "2026-04-17T23:30:15.913385+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}