{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/glpi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-26263"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","glpi","cve-2026-26263","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGLPI, a widely used free asset and IT management software, is vulnerable to a critical security flaw. Specifically, versions 11.0.0 to before 11.0.6 contain an unauthenticated time-based blind SQL injection vulnerability (CVE-2026-26263) within its search engine functionality. This vulnerability allows remote attackers to inject malicious SQL code without needing prior authentication. Exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire GLPI instance and the sensitive information it manages. The vulnerability was reported on April 6th, 2026 and patched in version 11.0.6. Organizations using affected versions of GLPI should upgrade immediately to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a GLPI instance running a vulnerable version (11.0.0 to 11.0.5).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the search engine functionality.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a time-based blind SQL injection payload within a search query parameter.\u003c/li\u003e\n\u003cli\u003eThe GLPI server processes the malicious SQL query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code interacts with the database, causing time delays based on conditional logic.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the response times to infer the results of the injected SQL queries.\u003c/li\u003e\n\u003cli\u003eThrough repeated requests, the attacker extracts sensitive data from the database, such as usernames, passwords, or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to gain unauthorized access to the GLPI system or other related resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26263 can lead to complete compromise of the GLPI instance. Attackers can access sensitive IT asset data, user credentials, and system configurations. This can result in data breaches, financial loss, and reputational damage. Given GLPI\u0026rsquo;s widespread use in IT management, a successful attack could impact numerous organizations across various sectors. If exploited, attackers can use the compromised GLPI instance as a pivot point to further compromise the internal network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GLPI to version 11.0.6 or later to patch CVE-2026-26263.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts targeting the GLPI search functionality.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads, focusing on parameters used by the GLPI search engine.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection vulnerabilities in web applications.\u003c/li\u003e\n\u003cli\u003eRegularly review and update web application firewalls (WAFs) with the latest rules to block known SQL injection patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:07Z","date_published":"2026-04-06T15:17:07Z","id":"/briefs/2026-04-glpi-sql-injection/","summary":"GLPI versions 11.0.0 to before 11.0.6 are susceptible to an unauthenticated time-based blind SQL injection vulnerability in the search engine, allowing remote attackers to potentially extract sensitive information.","title":"GLPI Unauthenticated Time-Based Blind SQL Injection Vulnerability (CVE-2026-26263)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-sql-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-26026"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-26026","template-injection","rce","glpi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGLPI is a widely used open-source IT asset management software. A critical vulnerability, CVE-2026-26026, affects versions 11.0.0 to 11.0.5. This vulnerability stems from a template injection flaw that can be exploited by a logged-in administrator. Successful exploitation allows the administrator to achieve remote code execution (RCE) on the underlying server. The vulnerability was reported on April 6, 2026, and has been patched in version 11.0.6. Organizations using vulnerable versions of GLPI should upgrade immediately to prevent potential compromise. The high CVSS score (9.1) reflects the severity and potential impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to a vulnerable GLPI instance (versions 11.0.0 - 11.0.5).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a section of the GLPI interface that allows for template modification.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious template containing code injection payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified template within the GLPI system.\u003c/li\u003e\n\u003cli\u003eThe GLPI system processes the malicious template, executing the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code allows the attacker to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to gain persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26026 can lead to complete compromise of the GLPI server. This allows an attacker to gain unauthorized access to sensitive IT asset information, customer data, and potentially other systems on the network. The impact is significant, as it allows for data breaches, service disruption, and further lateral movement within the organization\u0026rsquo;s infrastructure. Given GLPI\u0026rsquo;s function in managing IT assets, this can result in widespread damage across the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26026.\u003c/li\u003e\n\u003cli\u003eReview and audit GLPI administrator accounts for any suspicious activity or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GLPI Template Injection Attempts\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to template management endpoints containing suspicious code constructs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Detect GLPI Template Injection RCE\u0026rdquo; rule in your SIEM.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the GLPI server to only authorized personnel and systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:07Z","date_published":"2026-04-06T15:17:07Z","id":"/briefs/2026-04-glpi-rce/","summary":"GLPI versions 11.0.0 to before 11.0.6 are vulnerable to remote code execution (RCE) via template injection by an authenticated administrator, allowing for arbitrary code execution on the server.","title":"GLPI Template Injection RCE (CVE-2026-26026)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-29047"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["glpi","sqli","cve-2026-29047"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGLPI is a free asset and IT management software package.  CVE-2026-29047 affects GLPI versions 10.0.0 up to, but not including, 10.0.24, as well as version 11.0.6. An authenticated user can exploit a SQL injection vulnerability present in the logs export feature. Successful exploitation could allow an attacker to read sensitive data, modify database content, or even execute arbitrary commands on the underlying database server.  Organizations using vulnerable versions of GLPI should upgrade to versions 10.0.24 or 11.0.6 as soon as possible to mitigate the risk. This vulnerability highlights the importance of keeping software up to date with the latest security patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid user credentials to a GLPI instance (versions 10.0.0 to 10.0.23 or 11.0.0 to 11.0.5).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GLPI web interface using the acquired credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026ldquo;logs export\u0026rdquo; feature within the GLPI interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL query and injects it into a parameter that is used when exporting the logs. This parameter is not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe GLPI application processes the crafted SQL query without proper sanitization, leading to SQL injection.\u003c/li\u003e\n\u003cli\u003eThe injected SQL query is executed against the GLPI database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database or modifies existing data.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates the attack, potentially gaining control of the underlying database server depending on database privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29047 can lead to unauthorized access to sensitive information stored in the GLPI database, such as user credentials, asset information, and IT configuration details. An attacker could modify or delete critical data, disrupt IT operations, and potentially gain control over the entire GLPI system. This could impact all organizations utilizing the vulnerable GLPI version, potentially leading to data breaches and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GLPI to version 10.0.24 or 11.0.6 to patch CVE-2026-29047 (references: advisory in Overview).\u003c/li\u003e\n\u003cli\u003eImplement database activity monitoring to detect and alert on suspicious SQL queries (references: Attack Chain step 6).\u003c/li\u003e\n\u003cli\u003eReview user access controls and enforce the principle of least privilege to limit the impact of compromised accounts (references: Attack Chain step 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect potential exploitation attempts targeting the logs export feature (references: rules section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:07Z","date_published":"2026-04-06T15:17:07Z","id":"/briefs/2026-04-glpi-sqli/","summary":"GLPI versions 10.0.0 before 10.0.24 and 11.0.6 are vulnerable to SQL Injection (CVE-2026-29047) via the logs export feature, allowing authenticated users to potentially execute arbitrary SQL commands.","title":"GLPI SQL Injection Vulnerability (CVE-2026-29047)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-25932"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","glpi","cve-2026-25932"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-25932 is a stored cross-site scripting (XSS) vulnerability affecting GLPI, a free asset and IT management software package. The vulnerability exists in versions 0.60 up to, but not including, 10.0.24. An authenticated technician user, with the necessary privileges, can inject a malicious XSS payload into the supplier fields within the GLPI application. This payload is then stored in the database and executed when other users with access to the affected supplier data view the information. This can lead to session hijacking, defacement of the GLPI interface, or other malicious actions performed in the context of the victim user. Successful exploitation requires a valid technician account and user interaction. The vulnerability is patched in GLPI version 10.0.24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to GLPI as a technician user with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the supplier management section of the GLPI interface.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a supplier field vulnerable to XSS (e.g., name, address, contact).\u003c/li\u003e\n\u003cli\u003eAttacker injects a malicious JavaScript payload into the chosen supplier field.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is stored in the GLPI database.\u003c/li\u003e\n\u003cli\u003eA different user (e.g., administrator or another technician) accesses the supplier record containing the XSS payload through the GLPI web interface.\u003c/li\u003e\n\u003cli\u003eThe GLPI application retrieves the supplier data from the database and renders it in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code is executed within the context of the victim user\u0026rsquo;s browser, enabling the attacker to perform actions such as stealing cookies, redirecting the user, or modifying data within GLPI.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-25932 can allow an attacker to execute arbitrary JavaScript code within the context of other GLPI users\u0026rsquo; browsers. This can result in session hijacking, where the attacker gains unauthorized access to the victim\u0026rsquo;s GLPI account. The attacker may also be able to deface the GLPI interface or modify data within the application. The CVSS v3.1 score of 7.2 indicates a high potential impact. While the precise number of vulnerable installations is unknown, any organization using GLPI versions 0.60 to 10.0.23 is potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GLPI to version 10.0.24 or later to patch CVE-2026-25932.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GLPI Suspicious HTTP Referer\u0026rdquo; to identify potential exploitation attempts targeting GLPI.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and output encoding measures to prevent XSS vulnerabilities in GLPI.\u003c/li\u003e\n\u003cli\u003eReview GLPI user permissions and roles to minimize the impact of potential XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to GLPI, such as unusual requests or error messages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:06Z","date_published":"2026-04-06T15:17:06Z","id":"/briefs/2026-04-glpi-xss/","summary":"CVE-2026-25932 is a cross-site scripting vulnerability in GLPI versions 0.60 to before 10.0.24, where an authenticated technician user can store a malicious XSS payload within supplier fields, potentially leading to arbitrary code execution in the context of other users' browsers.","title":"GLPI Cross-Site Scripting Vulnerability (CVE-2026-25932)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Glpi","version":"https://jsonfeed.org/version/1.1"}