GCVE - cpe:2.3:a:glpi-project:glpi-inventory-plugin:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:glpi-project:glpi-inventory-plugin:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Glpi Project (`bef553f0-49a5-5069-ba42-78448263cef9`)
Product	Glpi Inventory Plugin (`f7e00f7e-4c00-5b9e-943b-881b4fea0ef0`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-26001`	vulnerable	2026-06-03 15:18:04.592264	GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report HIGH (7.1) The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6. Published: 2026-03-17T23:18:01.387Z Updated: 2026-03-18T20:16:53.878Z Open on db.gcve.eu Reference links https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-25590`	vulnerable	2026-06-03 15:16:54.859040	GLPI Inventory Plugin has Reflected XSS in task jobs MEDIUM (4.5) The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6. Published: 2026-03-03T22:14:01.596Z Updated: 2026-03-04T16:52:27.907Z Open on db.gcve.eu Reference links https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-54x7-6fhx-3wmw	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-32786`	vulnerable	2026-06-03 15:00:42.129692	GLPI Inventory Plugin is Vulnerable to Unauthenticated SQL Injection HIGH (7.5) The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1. Published: 2025-11-04T20:18:43.581Z Updated: 2025-11-05T18:48:29.572Z Open on db.gcve.eu Reference links https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-27147`	vulnerable	2026-06-03 15:00:11.585272	GLPI Inventory plugin has Improper Access Control Vulnerability HIGH (8.2) The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability. Published: 2025-03-25T14:26:45.264Z Updated: 2025-03-25T14:40:39.830Z Open on db.gcve.eu Reference links https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-h6x9-jm98-cw7c https://github.com/glpi-project/glpi-inventory-plugin/commit/aaeb26d98d07019375c25b56e60fffc195553545	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-26626`	vulnerable	2026-06-03 15:00:00.238165	GLPI Inventory Plugin vulnerable to reflective Cross-site Scripting MEDIUM (6.5) The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue. Published: 2025-03-14T12:47:14.011Z Updated: 2025-03-14T13:36:05.088Z Open on db.gcve.eu Reference links https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-8p38-r7vf-j6jx https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.0/CHANGELOG.md#150---2025-02-25	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-31082`	vulnerable	2026-06-03 14:47:10.587143	SQL Injection via package deployment tasks in glpi-inventory-plugin MEDIUM (5.8) GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature. Published: 2022-06-27T20:30:22.000Z Updated: 2025-04-23T18:07:31.644Z Open on db.gcve.eu Reference links https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-31062`	vulnerable	2026-06-03 14:47:10.543544	Unauthenticated Local File Inclusion MEDIUM (5.3) ### Impact A plugin public script can be used to read content of system files. ### Patches Upgrade to version 1.0.2. ### Workarounds `b/deploy/index.php` file can be deleted if deploy feature is not used. Published: 2022-06-20T00:00:00.000Z Updated: 2025-04-23T18:09:19.439Z Open on db.gcve.eu Reference links https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q33f-jcjf-p4v9 http://packetstormsecurity.com/files/171654/GLPI-Glpiinventory-1.0.1-Local-File-Inclusion.html	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.