{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22247", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.921Z", "datePublished": "2026-02-04T17:10:30.153Z", "dateUpdated": "2026-02-05T14:33:19.799Z"}, "containers": {"cna": {"title": "GLPI is Vulnerable to SSRF via Webhooks", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 11.0.0, < 11.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:10:30.153Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5."}], "source": {"advisory": "GHSA-f6f6-v3qr-9p5x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:20:18.955924Z", "id": "CVE-2026-22247", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:33:19.799Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:20:18.955924Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:20:19.601Z"}}], "cna": {"title": "GLPI is Vulnerable to SSRF via Webhooks", "source": {"advisory": "GHSA-f6f6-v3qr-9p5x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 11.0.0, < 11.0.5"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5", "name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:10:30.153Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22247", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:33:19.799Z", "dateReserved": "2026-01-07T05:19:12.921Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T17:10:30.153Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "C13BB849-4C19-473A-B105-57915EE59C49", "versionEndExcluding": "11.0.5", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5."}], "id": "CVE-2026-22247", "lastModified": "2026-02-06T21:19:00.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T18:16:08.753", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:24:05.903963+00:00", "value": {"mitigation_remediation": ["Upgrade GLPI to version 11.0.5 or later, which removes the insecure webhook handling code.", "If an upgrade is not immediately possible, disable webhook functionality or restrict its use to trusted networks to eliminate the SSRF vector.", "Continuously monitor outbound traffic from the GLPI server for unexpected requests to internal or external resources, and investigate any anomalies promptly."], "summary": {"action": "Apply Patch", "impact": "Server\u2011side Request Forgery via Webhook"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the GLPI project\u2019s software for the specified version range. Administrators running GLPI 11.0.0 up to 11.0.4 are affected; versions 11.0.5 and newer have the fix applied.", "description_and_impact": "GLPI versions 11.0.0 through 11.0.4 allow an administrator to configure a webhook that can send requests to any network address. This server\u2011side request forgery (CWE\u2011918) could enable the attacker to make internal API calls, harvest sensitive data, or use the compromised instance as a pivot to other systems. The impact is limited to the privileges of the GLPI administrator and the network reachability of the target system, but it can still lead to confidentiality or integrity violations if internal endpoints are accessed.", "risk_and_exploitability": "The CVSS score of 4.1 classifies the issue as low severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. GLPI is not listed in the CISA KEV catalog. Successful exploitation requires administrative access to the GLPI instance and the ability to create or modify webhook configurations, making the attack vector relatively constrained to authenticated users with elevated privileges."}}}}, "created": "2026-02-04T21:17:45.026869+00:00", "updated": "2026-04-17T23:30:15.914853+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}