CVE-2026-11321

high

Description

The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

References

https://www.vulncheck.com/advisories/glpi-datainjection-plugin-authenticated-sql-injection-via-csv-import

https://github.com/pluginsGLPI/datainjection/security/advisories/GHSA-57qv-j6r6-pcc4

https://github.com/pluginsGLPI/datainjection/releases/tag/2.15.7

https://github.com/pluginsGLPI/datainjection

Details

Source: Mitre, NVD

Published: 2026-07-10

Updated: 2026-07-10

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 6.4

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Severity: Medium

CVSS v4

Base Score: 7.1

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00314