๐Ÿ” CVE Alert

CVE-2026-11321

MEDIUM 6.4

GLPI DataInjection Plugin Authenticated SQL Injection via CSV Import

CVSS Score
6.4
EPSS Score
0.3%
EPSS Percentile
23th

The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

CWE CWE-89
Vendor pluginsglpi
Product datainjection
Published Jul 10, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for pluginsglpi datainjection

Be the first to know when new medium vulnerabilities affecting pluginsglpi datainjection are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

pluginsGLPI / datainjection
2.15.6 < 2.15.7

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/pluginsGLPI/datainjection/security/advisories/GHSA-57qv-j6r6-pcc4 github.com: https://github.com/pluginsGLPI/datainjection/releases/tag/2.15.7 github.com: https://github.com/pluginsGLPI/datainjection vulncheck.com: https://www.vulncheck.com/advisories/glpi-datainjection-plugin-authenticated-sql-injection-via-csv-import

Credits

ryukk33