Skip to content

glpi

Configuration Management

Free open‑source IT asset and service management software with ITIL ticketing, configuration tracking, contract and financial management.

Track releases GitHub Website
PHP Latest 11.0.7 · 1mo ago Security brief →

Features

  • Service Asset & Configuration Management (SACM) for dynamic inventory of hardware and software assets
  • ITIL‑aligned ticketing: request fulfillment, incident, problem, change and knowledge management
  • Contract, financial and license tracking with depreciation and compliance reporting

Recent releases

View all 6 releases →
11.0.7 Security relevant
Security fixes
  • Unauthorized update of configuration
  • Unauthorized IMAP connection probing
  • Unauthorized reading of a specific asset object
Full changelog

This is a security release, upgrading is recommended

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - Low] Unauthorized update of configuration
  • [SECURITY - Low] Unauthorized IMAP connection probing
  • [SECURITY - Low] Unauthorized reading of a specific asset object
  • [SECURITY - Low] Unauthorized modification of webhook payload templates
  • [SECURITY - Low] Unauthorized Webhook CRA Validation SSRF
  • [SECURITY - Low] Webhook CRA signature bypass
  • [SECURITY - Low] Unauthorized resending of queued webhooks
  • [SECURITY - Medium] Unauthorized export of form structure (CVE-2026-32312)
  • [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
  • [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
  • [SECURITY - High] Stored XSS in ITIL Costs (CVE-2026-40108)
  • [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
  • [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

View release on GitHub
10.0.25 Security relevant
Security fixes
  • Unauthorized update of configuration
  • Unauthorized IMAP connection probing
  • Arbitrary files access (CVE-2026-42320)
Full changelog

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - Low] Unauthorized update of configuration
  • [SECURITY - Low] Unauthorized IMAP connection probing
  • [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
  • [SECURITY - High] Stored XSS in asset locks (CVE-2026-42321)
  • [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
  • [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
  • [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)

Many bug fixes have also been made, read the full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

View release on GitHub
11.0.6 Security relevant
Security fixes
  • Server-Side Template Injection (CVE-2026-26026)
  • Stored XSS via Inventory (CVE-2026-26027)
  • Unauthenticated SQL Injection via Search engine (CVE-2026-26263)
View release on GitHub
10.0.24 Security relevant
Security fixes
  • Stored XSS in Supplier (CVE-2026-25932)
  • Authenticated SQL Injection (CVE-2026-29047)
View release on GitHub
11.0.5 Security relevant
Security fixes
  • Session stealing via externally authenticated user change (CVE-2026-23624)
  • Remote Code Execution via malicious file upload (CVE-2026-22248)
  • SSRF via Webhooks (CVE-2026-22247)
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
5,955
Forks
1,693
Languages
PHP Twig JavaScript
View on GitHub Homepage Live demo

Similar tools

Ghidra
shyshlakov/pci-dss-mcp
big-AGI
swm-gpu/swm](https:
googleapis/release-please

Beta — feedback welcome: [email protected]