{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26001", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:41:55.859Z", "datePublished": "2026-03-17T23:18:01.387Z", "dateUpdated": "2026-03-18T20:16:53.878Z"}, "containers": {"cna": {"title": "GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx"}], "affected": [{"vendor": "glpi-project", "product": "glpi-inventory-plugin", "versions": [{"version": "< 1.6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:18:01.387Z"}, "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6."}], "source": {"advisory": "GHSA-gp4r-m42c-wvgx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T20:16:45.101503Z", "id": "CVE-2026-26001", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:16:53.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T20:16:45.101503Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:16:48.402Z"}}], "cna": {"title": "GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report", "source": {"advisory": "GHSA-gp4r-m42c-wvgx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi-inventory-plugin", "versions": [{"status": "affected", "version": "< 1.6.6"}]}], "references": [{"url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx", "name": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:18:01.387Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26001", "state": "PUBLISHED", "dateUpdated": "2026-03-18T20:16:53.878Z", "dateReserved": "2026-02-09T17:41:55.859Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T23:18:01.387Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi_inventory:*:*:*:*:*:*:*:*", "matchCriteriaId": "98C6C195-DCBB-4921-BDFF-CAD1971700EA", "versionEndExcluding": "1.6.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6."}, {"lang": "es", "value": "El plugin de inventario de GLPI gestiona el descubrimiento de red, el inventario, el despliegue de software y la recopilaci\u00f3n de datos para los agentes de GLPI. Antes de la versi\u00f3n 1.6.6, la entrada de usuario sin sanear pod\u00eda dar lugar a una inyecci\u00f3n SQL desde informes, con permisos adecuados. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.6.6."}], "id": "CVE-2026-26001", "lastModified": "2026-03-23T18:14:43.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-18T00:16:18.770", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-gp4r-m42c-wvgx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.6)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "glpi-inventory-plugin", "source": "cna", "vendor": "glpi-project"}, "product": "glpi_inventory", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-03-23T19:29:47.156367+00:00", "value": {"mitigation_remediation": ["Upgrade the GLPI Inventory Plugin to version 1.6.6 or later."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "This flaw affects the GLPI Inventory Plugin, used with GLPI for asset management. Versions prior to 1.6.6 are vulnerable; upgrade to 1.6.6 or newer to eliminate the issue.", "description_and_impact": "The GLPI Inventory Plugin allows users to view network inventories and generate reports. Prior to version 1.6.6, unsanitized input from a user\u2011controlled dropdown in the calendar report can be exploited for an SQL injection. An attacker with sufficient rights could execute arbitrary SQL commands against the underlying database, potentially reading, modifying, or deleting inventory data and compromising the confidentiality and integrity of the system. The vulnerability does not provide a direct code\u2011execution path but can be used to subvert data integrity.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high impact, and an EPSS score below 1\u202f% suggests a low likelihood of widespread exploitation, consistent with the absence from the KEV catalog. The attack requires an authenticated user with report\u2011generation privileges who can supply crafted input to the dropdown. When these conditions are met, the injection can be executed; the exploit path is straightforward through the web interface."}}}}, "created": "2026-03-18T10:42:34.795738+00:00", "updated": "2026-03-24T10:54:23.570790+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi_inventory"]}