Ghostwire

CVE-2026-11321: The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL...

HIGH CVSS 0.0

Published: July 10, 2026 | Last Modified: July 10, 2026

Description

The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References