CVE-2026-11321
7.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pluginsGLPI | datainjection | 2.15.6 < 2.15.7 | affected |
Weaknesses
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
References
- https://github.com/pluginsGLPI/datainjection/security/advisories/GHSA-57qv-j6r6-pcc4
- https://github.com/pluginsGLPI/datainjection/releases/tag/2.15.7
- https://github.com/pluginsGLPI/datainjection
- https://www.vulncheck.com/advisories/glpi-datainjection-plugin-authenticated-sql-injection-via-csv-import
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.