Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN324
_____________________________________________________________________

DATE                : 23/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GLPI versions prior to 11.0.6.

=====================================================================
https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759
https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm
_____________________________________________________________________


Authenticated SQL Injection
Moderate
trasher published GHSA-qw3x-7vv2-7759 Mar 17, 2026

Package
glpi (glpi)

Affected versions
>= 11.0.0

Patched versions
11.0.6


Description

Impact

An authenticated user can perfom a SQL injection.


Patches

Upgrade to 11.0.6.


For more information

If you have any questions or comments about this advisory, mail us
at glpi-security@ow2.org.


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2026-25936

Weaknesses
Weakness CWE-89

Credits

    @login-securite login-securite Reporter

_____________________________________________________________________


MFA bypass
Moderate
trasher published GHSA-2g3p-vwp2-7qxm Mar 17, 2026
Package
glpi (glpi)
Affected versions
>= 11.0.0
Patched versions
11.0.6
Description
Impact

A malicious actor with knowledge of a user's credentials can bypass MFA
and steal their account.


Patches

Upgrade to 11.0.6.


For more information

If you have any questions or comments about this advisory, mail us at
glpi-security@ow2.org.

Severity
Moderate
6.5/ 10


CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE ID
CVE-2026-25937

Weaknesses
No CWEs

Credits

    @login-securite login-securite Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================