Releases: glpi-project/glpi
11.0.7
This is a security release, upgrading is recommended
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - Low] Unauthorized update of configuration
- [SECURITY - Low] Unauthorized IMAP connection probing
- [SECURITY - Low] Unauthorized reading of a specific asset object
- [SECURITY - Low] Unauthorized modification of webhook payload templates
- [SECURITY - Low] Unauthorized Webhook CRA Validation SSRF
- [SECURITY - Low] Webhook CRA signature bypass
- [SECURITY - Low] Unauthorized resending of queued webhooks
- [SECURITY - Medium] Unauthorized export of form structure (CVE-2026-32312)
- [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
- [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
- [SECURITY - High] Stored XSS in ITIL Costs (CVE-2026-40108)
- [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
- [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
10.0.25
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - Low] Unauthorized update of configuration
- [SECURITY - Low] Unauthorized IMAP connection probing
- [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
- [SECURITY - High] Stored XSS in asset locks (CVE-2026-42321)
- [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
- [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
- [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
11.0.6
This is a security release, upgrading is recommended
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - Critical] Server-Side Template Injection (CVE-2026-26026)
- [SECURITY - High] Stored XSS via Inventory (CVE-2026-26027)
- [SECURITY - High] Unauthenticated SQL Injection via Search engine (CVE-2026-26263)
- [SECURITY - Moderate] MFA bypass (CVE-2026-25937)
- [SECURITY - Moderate] Authenticated SQL Injection (CVE-2026-25936)
- [SECURITY - High] Authenticated SQL Injection (CVE-2026-29047)
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
10.0.24
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] Stored XSS in Supplier CVE-2026-25932)
- [SECURITY - High] Authenticated SQL Injection (CVE-2026-29047)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
11.0.5
This is a security release, upgrading is recommended
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - MODERATE] Session stealing on externally authenticated user change (CVE-2026-23624)
- [SECURITY - HIGH] Remote Code Execution via malicious upload (CVE-2026-22248)
- [SECURITY - MODERATE] SSRF via Webhooks (CVE-2026-22247)
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
10.0.23
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - MODERATE] Authenticated SQL Injection (CVE-2026-22044)
- [SECURITY - MODERATE] Session stealing on externally authenticated user change (CVE-2026-23624)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
11.0.4
This is a security release, upgrading is recommended
Yesterday, 11.0.3 was shipped, but soon after a few annoying regressions has been detected, and so a need for new release.
You can download the GLPI 11.0.4 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - HIGH] Unauthorized access to documents (CVE-2025-64516)
- [SECURITY - HIGH] Unauthenticated SQL injection (CVE-2025-66417)
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
10.0.22
This is a security release, upgrading is recommended
Yesterday, 10.0.21 was shipped, but soon after a few annoying regressions has been detected, and so a need for new release.
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.22 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - HIGH] Unauthorized access to documents (CVE-2025-64516)
- [SECURITY - MODERATE] Unauthenticated Stored XSS through the inventory endpoint (CVE-2025-59935)
- [SECURITY - MODERATE] Unauthorized access to Knowledge Base items through the API (CVE-2025-64520)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
11.0.3
This is a security release, upgrading is recommended
You can download the GLPI 11.0.3 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - HIGH] Unauthorized access to documents (CVE-2025-64516)
- [SECURITY - HIGH] Unauthenticated SQL injection (CVE-2025-66417)
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
10.0.21
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.21 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - HIGH] Unauthorized access to documents (CVE-2025-64516)
- [SECURITY - MODERATE] Unauthenticated Stored XSS through the inventory endpoint (CVE-2025-59935)
- [SECURITY - MODERATE] Unauthorized access to Knowledge Base items through the API (CVE-2025-64520)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.