Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN683
_____________________________________________________________________

DATE                : 29/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GLPI versions prior to 11.0.8,
                                         10.0.26.
 
=====================================================================
https://www.glpi-project.org/en/glpi-11-0-8-and-10-0-26-available/
_____________________________________________________________________

Two new GLPI versions are available

11.0.8 and 10.0.26 releases fix several critical security issues that
have been recently discovered. Update is stronglyrecommended!

Many bug fixes have also been made, read the changelogs for more
details:

    11.0.8 changelog
    10.0.26 changelog

You can download the new archives on GitHub:

    11.0.8 archive
    10.0.26 archive

You will find below the list of security issues fixed in theses
bugfixes versions:

    [SECURITY - ==Medium== 10.0 & 11.0] Unauthorized debug mode
activation (CVE-2026-45801)
    [SECURITY - ==Medium== 10.0 & 11.0] LDAP filter injection in user
import
feature (CVE-2026-49469)
    [SECURITY - ==Medium== 10.0 & 11.0] Unallowed authentication method
update by administrator (CVE-2026-53628)
    [SECURITY - ==Medium== 11.0] Unexpected access to update operations
through the API (CVE-2026-53627)
    [SECURITY - ==Medium== 10.0 & 11.0] Unallowed modfication of
knowbase items comments and translations (CVE-2026-55217)
    [SECURITY - ==Medium== 10.0 & 11.0] Unallowed notifications sending
(CVE-2026-57152)
    [SECURITY - ==High== 10.0 & 11.0] SQL injection in dropdowns
(CVE-2026-47678)
    [SECURITY - ==High== 10.0 & 11.0] Arbitrary file deletion
(CVE-2026-47679)
    [SECURITY - ==High== 11.0] Account takeover via 2FA brute force
(CVE-2026-49470)
    [SECURITY - ==High== 10.0 & 11.0] Privilege Escalation via authtype
API manipulation (CVE-2026-53625)
    [SECURITY - ==High== 11.0] Reflected XSS in dashboards (CVE-2026-53610)
    [SECURITY - ==High== 11.0] Arbitrary document read (CVE-2026-53626)

    [SECURITY - ==High== 10.0 & 11.0] SQL injection in history tab
(CVE-2026-53629)
    [SECURITY - ==High== 11.0] Stored XSS in suppliers (CVE-2026-55214)

    [SECURITY - ==CRITICAL== 11.0] RCE via Form import (CVE-2026-48482)

    [SECURITY - ==CRITICAL== 11.0] MFA bypass (CVE-2026-52848)

We would like to thank all people who contributed to this new version
and all those who contribute regularly to the GLPI project!

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================