{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22821", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.289Z", "datePublished": "2026-02-12T18:43:59.249Z", "dateUpdated": "2026-02-12T19:31:55.400Z"}, "containers": {"cna": {"title": "mreporting affected by a SQLI on date change", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8"}, {"name": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72", "tags": ["x_refsource_MISC"], "url": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72"}], "affected": [{"vendor": "pluginsGLPI", "product": "mreporting", "versions": [{"version": "< 1.9.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T18:43:59.249Z"}, "descriptions": [{"lang": "en", "value": "mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4."}], "source": {"advisory": "GHSA-24q7-h59q-33w8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T19:25:10.709903Z", "id": "CVE-2026-22821", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T19:31:55.400Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22821", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T19:25:10.709903Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T19:31:43.492Z"}}], "cna": {"title": "mreporting affected by a SQLI on date change", "source": {"advisory": "GHSA-24q7-h59q-33w8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pluginsGLPI", "product": "mreporting", "versions": [{"status": "affected", "version": "< 1.9.4"}]}], "references": [{"url": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8", "name": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72", "name": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T18:43:59.249Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22821", "state": "PUBLISHED", "dateUpdated": "2026-02-12T19:31:55.400Z", "dateReserved": "2026-01-09T22:50:10.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T18:43:59.249Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:more_reporting:*:*:*:*:*:glpi:*:*", "matchCriteriaId": "F58196A1-5ADF-43F2-822F-C26037D06249", "versionEndExcluding": "1.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4."}, {"lang": "es", "value": "mreporting es el plugin de GLPI de informes m\u00e1s completo. Antes de la versi\u00f3n 1.9.4, existe una posible inyecci\u00f3n SQL al cambiar la fecha. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.9.4."}], "id": "CVE-2026-22821", "lastModified": "2026-02-20T18:20:33.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-12T19:15:51.883", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.4)"}}], "product": "mreporting", "vendor": "pluginsglpi"}], "analysis": {"en": {"generated_at": "2026-04-17T20:02:45.496529+00:00", "value": {"mitigation_remediation": ["Upgrade the mreporting plugin to version 1.9.4 or later to eliminate the SQL injection flaw.", "Implement stricter input validation for date fields within the plugin to prevent future injection attempts.", "Review GLPI database user permissions and reduce privileges to the minimum required for normal operation."], "summary": {"action": "Apply Patch", "impact": "Remote SQL Injection"}, "threat_synthesis": {"affected_systems": "Vendors: GLPI. Product: mreporting plugin for the GLPI project. Versions prior to 1.9.4 are vulnerable; the issue is resolved in release 1.9.4 and later.", "description_and_impact": "The vulnerability originates in the mreporting GLPI plugin, where a flaw in the handling of date changes can allow a malicious user to inject arbitrary SQL commands into the backend database. This SQL injection can potentially lead to unauthorized data exfiltration or modification, compromising the confidentiality and integrity of the GLPI instance.", "risk_and_exploitability": "The CVSS score of 4.9 indicates medium severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and it appears to be exploitable only through the web interface when users modify date fields. Existing authentication and authorization controls may limit the reach of the injected payload, but the risk remains significant enough to warrant patching."}}}}, "created": "2026-02-13T21:29:39.654753+00:00", "updated": "2026-04-17T20:15:26.989199+00:00", "vendors": ["pluginsglpi", "pluginsglpi$PRODUCT$mreporting"]}