CVE-2026-42318 | GLPI is a free asset and IT management software package. Sta… | CVSS 7.0 HIGH

Description

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.

Metadata

CVE ID: CVE-2026-42318
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-26 12:37 UTC
Published: 2026-06-03 15:17 UTC
Last updated: 2026-06-03 16:18 UTC
Primary CWE: CWE-862
CWE-862: Missing Authorization
Vendor / Product: glpi-project / glpi
Sources: cve.org · NVD

Severity & Metrics

7.0 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
glpi-project	glpi	—	>= 11.0.0, < 11.0.7, >= 9.5.0, < 10.0.25

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	CWE-862: Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.0	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References (1)

https://github.com/glpi-project/glpi/security/advisories/GHSA-w7mr-3vwm-2j22 https://github.com/glpi-project/glpi/security/advisories/GHSA-w7mr-3vwm-2j22