{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29047", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.243Z", "datePublished": "2026-04-06T14:39:15.996Z", "dateUpdated": "2026-04-07T13:06:57.659Z"}, "containers": {"cna": {"title": "GLPI has an Authenticated SQL Injection via log exports", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 10.0.0, 10.0.24", "status": "affected"}, {"version": ">= 11.0.0-alpha, < 11.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:39:15.996Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6."}], "source": {"advisory": "GHSA-3m49-qf92-vccr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T03:55:43.970616Z", "id": "CVE-2026-29047", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:06:57.659Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "GLPI has an Authenticated SQL Injection via log exports", "source": {"advisory": "GHSA-3m49-qf92-vccr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 10.0.0, 10.0.24"}, {"status": "affected", "version": ">= 11.0.0-alpha, < 11.0.6"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:39:15.996Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29047", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T03:55:43.970616Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T13:06:54.803Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-29047", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:39:15.996Z", "dateReserved": "2026-03-03T17:50:11.243Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T14:39:15.996Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "96E69C9D-0229-467D-8E6E-E63BCEDD5EF8", "versionEndExcluding": "10.0.24", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BF95FA7-1F5E-4D44-B291-5576720FB714", "versionEndExcluding": "11.0.6", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6."}], "id": "CVE-2026-29047", "lastModified": "2026-04-07T16:02:15.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T15:17:07.590", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.0.24]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-alpha,11.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glpi", "source": "cna", "vendor": "glpi-project"}, "product": "glpi", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-04-07T23:51:45.823623+00:00", "value": {"mitigation_remediation": ["Upgrade GLPI to version 10.0.24 or newer, or to version 11.0.6 or newer", "If an upgrade is not immediately possible, restrict the logs export feature to users with the minimum required permissions"], "summary": {"action": "Patch", "impact": "Authenticated SQL injection via logs export"}, "threat_synthesis": {"affected_systems": "GLPI versions 10.0.0 through 10.0.23 and all 11.x releases prior to 11.0.6 are affected. The vulnerability was fixed in 10.0.24 and 11.0.6 and later versions of GLPI.", "description_and_impact": "An SQL injection flaw exists in the logs export function of GLPI. An authenticated user can supply crafted input that is incorporated into an SQL statement, allowing arbitrary queries or modifications against the database. This can lead to disclosure of sensitive data, alteration of records, or deletion of entries, compromising confidentiality, integrity, and potentially availability of the system.", "risk_and_exploitability": "The CVSS v3.1 score is 7.2, indicating high severity. The EPSS score is below 1%, implying a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated web session and use of the logs export operation, after which an attacker can inject malicious SQL statements."}}}}, "created": "2026-04-06T20:14:25.848279+00:00", "updated": "2026-04-08T19:50:48.681859+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}