Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN297
_____________________________________________________________________

DATE                : 12/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running glpi (glpi) versions
                                prior to 11.0.5.

=====================================================================
https://github.com/glpi-project/glpi/security/advisories/GHSA-c9q3-mcxq-9vr4
_____________________________________________________________________

Remote Code Execution via malicious upload
High
cedric-anne published GHSA-c9q3-mcxq-9vr4 Mar 11, 2026

Package
glpi (glpi)

Affected versions
>= 11.0.0

Patched versions
11.0.5


Description

Impact

An authenticated technician user can upload a malicious file and trigger
its execution thrugh an unsafe PHP instanciation.


Patches

Upgrade to 11.0.5.


For more information

If you have any questions or comments about this advisory, mail us
at glpi-security@ow2.org.


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE ID
CVE-2026-22248

Weaknesses
Weakness CWE-502

Credits

    @r1beirin r1beirin Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================