CVE-2026-22248 PUBLISHED

GLPI affected by Remote Code Execution via malicious upload

Assigner: GitHub_M
Reserved: 07.01.2026 Published: 11.03.2026 Updated: 11.03.2026

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	glpi-project
Product	glpi
Versions	Version >= 11.0.0, < 11.0.5 is affected

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-c9q3-mcxq-9vr4

Problem Types

CWE-502: Deserialization of Untrusted Data CWE