Skip to content

glpi

v11.0.7 Security

This release includes 13 security fixes for security teams reviewing exposed deployments.

Published 1mo Configuration Management
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 13 known CVEs

Topics

asset-manager assets-management cmdb data-center dcim glpi
+8 more
helpdesk impact-analysis inventory itam itil itsm license-management ticketing

Summary

AI summary

Security release fixes 13 vulnerabilities including stored XSS, arbitrary deletion, and file access.

Full changelog

This is a security release, upgrading is recommended

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - Low] Unauthorized update of configuration
  • [SECURITY - Low] Unauthorized IMAP connection probing
  • [SECURITY - Low] Unauthorized reading of a specific asset object
  • [SECURITY - Low] Unauthorized modification of webhook payload templates
  • [SECURITY - Low] Unauthorized Webhook CRA Validation SSRF
  • [SECURITY - Low] Webhook CRA signature bypass
  • [SECURITY - Low] Unauthorized resending of queued webhooks
  • [SECURITY - Medium] Unauthorized export of form structure (CVE-2026-32312)
  • [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
  • [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
  • [SECURITY - High] Stored XSS in ITIL Costs (CVE-2026-40108)
  • [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
  • [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

Security Fixes

  • Unauthorized update of configuration
  • Unauthorized IMAP connection probing
  • Unauthorized reading of a specific asset object
  • Unauthorized modification of webhook payload templates
  • Unauthorized Webhook CRA Validation SSRF
  • Webhook CRA signature bypass
  • Unauthorized resending of queued webhooks
  • Unauthorized export of form structure (CVE-2026-32312)
  • Arbitrary files access (CVE-2026-42320)
  • Stored XSS in knowledge base (CVE-2026-5385)
  • Stored XSS in ITIL Costs (CVE-2026-40108)
  • Arbitrary item deletion via planning (CVE-2026-42318)
  • Arbitrary files deletion by technician (CVE-2026-42317)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track glpi

Get notified when new releases ship.

Sign up free

About glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.

All releases →

Related context

Beta — feedback welcome: [email protected]