Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN047
_____________________________________________________________________

DATE                : 16/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running glpi versions prior
                         to 10.0.21, 11.0.3.

=====================================================================
https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46
https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9
_____________________________________________________________________


Unauthorized access to documents
High
cedric-anne published GHSA-487h-7mxm-7r46 Jan 15, 2026

Package
glpi (glpi)

Affected versions
>= 10.0.0, < 11.0.0
>= 11.0.0

Patched versions
10.0.21
11.0.3


Description

Impact

An unauthorized user can access GLPI documents attached to any item
(ticket, asset, ...). If the public FAQ is enabled, this unauthorized
access can be performed by an anonymous user.


Patches

Upgrade to 10.0.21/11.0.3.


For more information

If you have any questions or comments about this advisory, mail us
at glpi-security@ow2.org.


Credits

This issue has been initially reported by Aras Duzen, then a second
attack vector was reported by TRUESEC.


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID
CVE-2025-64516
Weaknesses
Weakness CWE-200
Weakness CWE-284
Weakness CWE-639
Credits

    @ArdNoir ArdNoir Finder
    @Vanilla1ce17 Vanilla1ce17 Finder


_____________________________________________________________________


Unauthenticated SQL injection
High
cedric-anne published GHSA-p467-682w-9cc9 Jan 15, 2026

Package
glpi (glpi)

Affected versions
>= 11.0.0, < 11.0.3

Patched versions
11.0.3


Description

Impact

An unauthenticated user can perfom a SQL injection.


Patches

Upgrade to 11.0.3.


For more information

If you have any questions or comments about this advisory, mail us
at glpi-security@ow2.org.


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2025-66417

Weaknesses
Weakness CWE-89

Credits

    @lem0naids lem0naids Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================