{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29047", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.243Z", "datePublished": "2026-04-06T14:39:15.996Z", "dateUpdated": "2026-04-07T03:55:43.198Z"}, "containers": {"cna": {"title": "GLPI has an Authenticated SQL Injection via log exports", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 10.0.0, 10.0.24", "status": "affected"}, {"version": ">= 11.0.0-alpha, < 11.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:39:15.996Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6."}], "source": {"advisory": "GHSA-3m49-qf92-vccr", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-29047"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:55:43.198Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6."}], "id": "CVE-2026-29047", "lastModified": "2026-04-06T15:17:07.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T15:17:07.590", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.0.24]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-alpha,11.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glpi", "source": "cna", "vendor": "glpi-project"}, "product": "glpi", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-04-06T17:22:05.201205+00:00", "value": {"mitigation_remediation": ["Apply the latest GLPI patch (v10.0.24 or v11.0.6) to remove the vulnerable code.", "If immediate patching is not feasible, disable or limit the logs export feature to trusted administrators only.", "Continuously monitor activity logs for suspicious export attempts and conduct regular database integrity checks."], "summary": {"action": "Apply Patch", "impact": "Data Compromise"}, "threat_synthesis": {"affected_systems": "GLPI versions 10.0.0 up to but not including 10.0.24, and 11.0.0 up to but not including 11.0.6 are susceptible. Upgrading to 10.0.24 or 11.0.6 mitigates the issue.", "description_and_impact": "A vulnerable version of GLPI allows an authenticated user to inject arbitrary SQL statements through the logs export interface. The flaw is a classic injection point (CWE-89), which could enable the modification or extraction of database contents and potentially disrupt the integrity of asset data. The vulnerability can be triggered by any user who has legitimate login credentials and access to the logs export feature.", "risk_and_exploitability": "With a CVSS score of 7.2, this flaw is considered high severity. Exploitation requires an authenticated session, so an attacker must first compromise an account or gain legitimate access. The public exploit probability (EPSS) is currently not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the possibility of database compromise warrants swift attention."}}}}, "created": "2026-04-06T20:14:25.848279+00:00", "updated": "2026-04-06T21:32:39.777116+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}