Primary

Context

GLPI Unauthenticated Time-Based Blind SQL Injection Vulnerability in Search Engine

Vulnerability

Patched

A time-based blind SQL injection vulnerability, allowing unauthenticated exploitation, has been identified in the search engine of GLPI (versions 11.0.0 prior to 11.0.6). This vulnerability arises from improper handling of search queries, which can be manipulated to execute arbitrary SQL commands. The issue is particularly concerning as it can be exploited without authentication, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can execute SQL queries that the application processes, potentially leading to unauthorized data access or modification.

Remediation

Users are advised to upgrade to GLPI version 11.0.6. Alternatively, anonymous access to the FAQ can be disabled to prevent exploitation of this vulnerability by unauthenticated users.

Added: Apr 6, 2026, 3:36 PM

Updated: Apr 6, 2026, 3:36 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

3.1

exploitability

8.1

remediation

8.3

relevance

5.4

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

3.1

exploitability

8.1

remediation

8.3

relevance

5.4

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GLPI Unauthenticated Time-Based Blind SQL Injection Vulnerability in Search Engine

Vulnerability

Impact

Remediation

Affected Products

GLPI

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating