CVE-2026-42317 PUBLISHED

GLPI vulnerable to arbitrary files deletion by technician

Assigner: GitHub_M
Reserved: 26.04.2026 Published: 03.06.2026 Updated: 03.06.2026

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7

Product Status

Vendor glpi-project
Product glpi
Versions
  • Version >= 11.0.0, < 11.0.7 is affected
  • Version >= 0.78, < 10.0.25 is affected

References

Problem Types

  • CWE-862: Missing Authorization CWE