Back to overview

CVE-2026-11321

MEDIUM
6.4
CVSS 3.1
Description
The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

Metadata

CVE ID
CVE-2026-11321
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-04 20:57 UTC
Published
2026-07-10 18:53 UTC
Last updated
2026-07-10 18:56 UTC
Primary CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL C…
Vendor / Product
pluginsGLPI / datainjection
Sources
cve.org  ·  NVD

Severity & Metrics

6.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
pluginsGLPI datainjection 2.15.6 < 2.15.7
Weakness (CWE)
CWESourceDescription
CWE-89 cna Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
6.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Back to overview