GLPI Software Allows Malicious File Upload and Execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.0

GLPI Software Allows Malicious File Upload and Execution

CVE-2026-22248

Summary

A security issue in GLPI's file upload feature allows an authenticated technician to upload and execute malicious files. This could potentially allow an attacker to access or damage your IT systems. Update to GLPI version 11.0.5 or later to fix this issue.

Original title

Original description

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.

nvd CVSS3.1 8.0

Vulnerability type

CWE-502 Deserialization of Untrusted Data

https://github.com/glpi-project/glpi/security/advisories/GHSA-c9q3-mcxq-9vr4

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026