https://feed.craftedsignal.io/tags/glpi/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 15:17:07 +0000https://feed.craftedsignal.io/briefs/2026-04-glpi-sql-injection/Mon, 06 Apr 2026 15:17:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-glpi-sql-injection/GLPI versions 11.0.0 to before 11.0.6 are susceptible to an unauthenticated time-based blind SQL injection vulnerability in the search engine, allowing remote attackers to potentially extract sensitive information.GLPI, a widely used free asset and IT management software, is vulnerable to a critical security flaw. Specifically, versions 11.0.0 to before 11.0.6 contain an unauthenticated time-based blind SQL injection vulnerability (CVE-2026-26263) within its search engine functionality. This vulnerability allows remote attackers to inject malicious SQL code without needing prior authentication. Exploitation could lead to unauthorized data access, modification, or deletion, potentially compromising the entire GLPI instance and the sensitive information it manages. The vulnerability was reported on April 6th, 2026 and patched in version 11.0.6. Organizations using affected versions of GLPI should upgrade immediately to mitigate this risk.

Attack Chain

1. An unauthenticated attacker identifies a GLPI instance running a vulnerable version (11.0.0 to 11.0.5).
2. The attacker crafts a malicious HTTP request targeting the search engine functionality.
3. The crafted request includes a time-based blind SQL injection payload within a search query parameter.
4. The GLPI server processes the malicious SQL query without proper sanitization.
5. The injected SQL code interacts with the database, causing time delays based on conditional logic.
6. The attacker analyzes the response times to infer the results of the injected SQL queries.
7. Through repeated requests, the attacker extracts sensitive data from the database, such as usernames, passwords, or configuration details.
8. The attacker uses the extracted credentials to gain unauthorized access to the GLPI system or other related resources.

Impact

Successful exploitation of CVE-2026-26263 can lead to complete compromise of the GLPI instance. Attackers can access sensitive IT asset data, user credentials, and system configurations. This can result in data breaches, financial loss, and reputational damage. Given GLPI’s widespread use in IT management, a successful attack could impact numerous organizations across various sectors. If exploited, attackers can use the compromised GLPI instance as a pivot point to further compromise the internal network.

Recommendation

• Upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26263.
• Deploy the provided Sigma rule to detect potential exploitation attempts targeting the GLPI search functionality.
• Monitor web server logs for suspicious requests containing SQL injection payloads, focusing on parameters used by the GLPI search engine.
• Implement input validation and sanitization measures to prevent SQL injection vulnerabilities in web applications.
• Regularly review and update web application firewalls (WAFs) with the latest rules to block known SQL injection patterns.

]]>highadvisorysql-injectionglpicve-2026-26263web-applicationhttps://feed.craftedsignal.io/briefs/2026-04-glpi-rce/Mon, 06 Apr 2026 15:17:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-glpi-rce/GLPI versions 11.0.0 to before 11.0.6 are vulnerable to remote code execution (RCE) via template injection by an authenticated administrator, allowing for arbitrary code execution on the server.GLPI is a widely used open-source IT asset management software. A critical vulnerability, CVE-2026-26026, affects versions 11.0.0 to 11.0.5. This vulnerability stems from a template injection flaw that can be exploited by a logged-in administrator. Successful exploitation allows the administrator to achieve remote code execution (RCE) on the underlying server. The vulnerability was reported on April 6, 2026, and has been patched in version 11.0.6. Organizations using vulnerable versions of GLPI should upgrade immediately to prevent potential compromise. The high CVSS score (9.1) reflects the severity and potential impact of this vulnerability.

Attack Chain

1. An attacker gains administrative access to a vulnerable GLPI instance (versions 11.0.0 - 11.0.5).
2. The attacker navigates to a section of the GLPI interface that allows for template modification.
3. The attacker crafts a malicious template containing code injection payloads.
4. The attacker saves the modified template within the GLPI system.
5. The GLPI system processes the malicious template, executing the injected code.
6. The injected code allows the attacker to execute arbitrary commands on the server.
7. The attacker establishes a reverse shell to gain persistent access.
8. The attacker pivots to other systems or exfiltrates sensitive data.

Impact

Successful exploitation of CVE-2026-26026 can lead to complete compromise of the GLPI server. This allows an attacker to gain unauthorized access to sensitive IT asset information, customer data, and potentially other systems on the network. The impact is significant, as it allows for data breaches, service disruption, and further lateral movement within the organization’s infrastructure. Given GLPI’s function in managing IT assets, this can result in widespread damage across the organization.

Recommendation

• Immediately upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26026.
• Review and audit GLPI administrator accounts for any suspicious activity or unauthorized access attempts.
• Deploy the Sigma rule “Detect GLPI Template Injection Attempts” to detect exploitation attempts in web server logs.
• Monitor web server logs for unusual POST requests to template management endpoints containing suspicious code constructs.
• Investigate any alerts generated by the “Detect GLPI Template Injection RCE” rule in your SIEM.
• Restrict network access to the GLPI server to only authorized personnel and systems.

]]>criticaladvisorycve-2026-26026template-injectionrceglpihttps://feed.craftedsignal.io/briefs/2026-04-glpi-sqli/Mon, 06 Apr 2026 15:17:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-glpi-sqli/GLPI versions 10.0.0 before 10.0.24 and 11.0.6 are vulnerable to SQL Injection (CVE-2026-29047) via the logs export feature, allowing authenticated users to potentially execute arbitrary SQL commands.GLPI is a free asset and IT management software package. CVE-2026-29047 affects GLPI versions 10.0.0 up to, but not including, 10.0.24, as well as version 11.0.6. An authenticated user can exploit a SQL injection vulnerability present in the logs export feature. Successful exploitation could allow an attacker to read sensitive data, modify database content, or even execute arbitrary commands on the underlying database server. Organizations using vulnerable versions of GLPI should upgrade to versions 10.0.24 or 11.0.6 as soon as possible to mitigate the risk. This vulnerability highlights the importance of keeping software up to date with the latest security patches.

Attack Chain

1. An attacker gains valid user credentials to a GLPI instance (versions 10.0.0 to 10.0.23 or 11.0.0 to 11.0.5).
2. The attacker authenticates to the GLPI web interface using the acquired credentials.
3. The attacker navigates to the “logs export” feature within the GLPI interface.
4. The attacker crafts a malicious SQL query and injects it into a parameter that is used when exporting the logs. This parameter is not properly sanitized.
5. The GLPI application processes the crafted SQL query without proper sanitization, leading to SQL injection.
6. The injected SQL query is executed against the GLPI database.
7. The attacker retrieves sensitive data from the database or modifies existing data.
8. The attacker escalates the attack, potentially gaining control of the underlying database server depending on database privileges.

Impact

Successful exploitation of CVE-2026-29047 can lead to unauthorized access to sensitive information stored in the GLPI database, such as user credentials, asset information, and IT configuration details. An attacker could modify or delete critical data, disrupt IT operations, and potentially gain control over the entire GLPI system. This could impact all organizations utilizing the vulnerable GLPI version, potentially leading to data breaches and financial losses.

Recommendation

• Upgrade GLPI to version 10.0.24 or 11.0.6 to patch CVE-2026-29047 (references: advisory in Overview).
• Implement database activity monitoring to detect and alert on suspicious SQL queries (references: Attack Chain step 6).
• Review user access controls and enforce the principle of least privilege to limit the impact of compromised accounts (references: Attack Chain step 1).
• Deploy the Sigma rule provided to detect potential exploitation attempts targeting the logs export feature (references: rules section).

]]>highadvisoryglpisqlicve-2026-29047https://feed.craftedsignal.io/briefs/2026-04-glpi-xss/Mon, 06 Apr 2026 15:17:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-glpi-xss/CVE-2026-25932 is a cross-site scripting vulnerability in GLPI versions 0.60 to before 10.0.24, where an authenticated technician user can store a malicious XSS payload within supplier fields, potentially leading to arbitrary code execution in the context of other users' browsers.CVE-2026-25932 is a stored cross-site scripting (XSS) vulnerability affecting GLPI, a free asset and IT management software package. The vulnerability exists in versions 0.60 up to, but not including, 10.0.24. An authenticated technician user, with the necessary privileges, can inject a malicious XSS payload into the supplier fields within the GLPI application. This payload is then stored in the database and executed when other users with access to the affected supplier data view the information. This can lead to session hijacking, defacement of the GLPI interface, or other malicious actions performed in the context of the victim user. Successful exploitation requires a valid technician account and user interaction. The vulnerability is patched in GLPI version 10.0.24.

Attack Chain

1. Attacker authenticates to GLPI as a technician user with sufficient privileges.
2. Attacker navigates to the supplier management section of the GLPI interface.
3. Attacker identifies a supplier field vulnerable to XSS (e.g., name, address, contact).
4. Attacker injects a malicious JavaScript payload into the chosen supplier field.
5. The malicious payload is stored in the GLPI database.
6. A different user (e.g., administrator or another technician) accesses the supplier record containing the XSS payload through the GLPI web interface.
7. The GLPI application retrieves the supplier data from the database and renders it in the user’s browser.
8. The malicious JavaScript code is executed within the context of the victim user’s browser, enabling the attacker to perform actions such as stealing cookies, redirecting the user, or modifying data within GLPI.

Impact

Successful exploitation of CVE-2026-25932 can allow an attacker to execute arbitrary JavaScript code within the context of other GLPI users’ browsers. This can result in session hijacking, where the attacker gains unauthorized access to the victim’s GLPI account. The attacker may also be able to deface the GLPI interface or modify data within the application. The CVSS v3.1 score of 7.2 indicates a high potential impact. While the precise number of vulnerable installations is unknown, any organization using GLPI versions 0.60 to 10.0.23 is potentially affected.

Recommendation

• Upgrade GLPI to version 10.0.24 or later to patch CVE-2026-25932.
• Deploy the Sigma rule “Detect GLPI Suspicious HTTP Referer” to identify potential exploitation attempts targeting GLPI.
• Implement strict input validation and output encoding measures to prevent XSS vulnerabilities in GLPI.
• Review GLPI user permissions and roles to minimize the impact of potential XSS attacks.
• Monitor web server logs for suspicious activity related to GLPI, such as unusual requests or error messages.

]]>mediumadvisoryxssglpicve-2026-25932