{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25936", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.786Z", "datePublished": "2026-03-17T19:41:32.444Z", "dateUpdated": "2026-03-18T20:00:30.055Z"}, "containers": {"cna": {"title": "GLPI Vulnerable to Authenticated SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 11.0.0, < 11.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T19:41:32.444Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue."}], "source": {"advisory": "GHSA-qw3x-7vv2-7759", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T20:00:23.979300Z", "id": "CVE-2026-25936", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:00:30.055Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25936", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T20:00:23.979300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:00:27.307Z"}}], "cna": {"title": "GLPI Vulnerable to Authenticated SQL Injection", "source": {"advisory": "GHSA-qw3x-7vv2-7759", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 11.0.0, < 11.0.6"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T19:41:32.444Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25936", "state": "PUBLISHED", "dateUpdated": "2026-03-18T20:00:30.055Z", "dateReserved": "2026-02-09T16:22:17.786Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T19:41:32.444Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:teclib-edition:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6EC0B31-3368-4BD7-8DB8-A10C32B4C47A", "versionEndIncluding": "11.0.6", "versionStartExcluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue."}, {"lang": "es", "value": "GLPI es un paquete de software gratuito de gesti\u00f3n de activos y TI. A partir de la versi\u00f3n 11.0.0 y antes de la versi\u00f3n 11.0.6, un usuario autenticado puede realizar una inyecci\u00f3n SQL. La versi\u00f3n 11.0.6 corrige el problema."}], "id": "CVE-2026-25936", "lastModified": "2026-03-19T19:30:14.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-17T20:16:13.707", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,11.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glpi", "source": "cna", "vendor": "glpi-project"}, "product": "glpi", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-03-19T20:26:17.237557+00:00", "value": {"mitigation_remediation": ["Apply the official patch to GLPI 11.0.6 or later (cve-2026-25936 fixed in this or newer releases).", "If immediate upgrade is not possible, consider disabling or restricting the database privileges of GLPI user accounts to limit SQL execution scope."], "summary": {"action": "Patch", "impact": "Authenticated SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is GLPI from glpi-project. Versions 11.0.0 up to and including 11.0.5 are impacted. The issue is fixed in GLPI 11.0.6. The Common Platform Enumeration indicates the product as cpe:2.3:a:teclib-edition:glpi:*:*:*:*:*:*:*:*.", "description_and_impact": "The vulnerability is a classic SQL injection (CWE-89) that can be leveraged by an attacker who already possesses valid GLPI user credentials. By injecting malicious SQL commands, the attacker can modify or read sensitive data stored in GLPI\u2019s database, potentially impacting confidentiality, integrity, and availability of the asset management system. The CVE description notes that the flaw allows arbitrary SQL execution, which may lead to data exfiltration or unauthorized configuration changes.", "risk_and_exploitability": "The CVSS score is 6.5, indicating a medium severity. EPSS is reported as less than 1%, implying a low estimated current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers need authenticated access to the GLPI instance; an attacker who can obtain or compromise user credentials can exploit the flaw. No remote unauthenticated attack vector is described, so mitigation focuses on preventing credential compromise and applying the patch."}}}}, "created": "2026-03-18T10:42:51.239890+00:00", "updated": "2026-03-24T10:54:40.414678+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}