Skip to content

Release history

glpi releases

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.

Back to tool Latest release

All releases

6 shown

11.0.7 Security relevant
Security fixes
  • Unauthorized update of configuration
  • Unauthorized IMAP connection probing
  • Unauthorized reading of a specific asset object
Full changelog

This is a security release, upgrading is recommended

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - Low] Unauthorized update of configuration
  • [SECURITY - Low] Unauthorized IMAP connection probing
  • [SECURITY - Low] Unauthorized reading of a specific asset object
  • [SECURITY - Low] Unauthorized modification of webhook payload templates
  • [SECURITY - Low] Unauthorized Webhook CRA Validation SSRF
  • [SECURITY - Low] Webhook CRA signature bypass
  • [SECURITY - Low] Unauthorized resending of queued webhooks
  • [SECURITY - Medium] Unauthorized export of form structure (CVE-2026-32312)
  • [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
  • [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
  • [SECURITY - High] Stored XSS in ITIL Costs (CVE-2026-40108)
  • [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
  • [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

View release on GitHub
10.0.25 Security relevant
Security fixes
  • Unauthorized update of configuration
  • Unauthorized IMAP connection probing
  • Arbitrary files access (CVE-2026-42320)
Full changelog

This is a security release, upgrading is recommended

This release fixes a few security issues that have been recently discovered. Update is recommended!

You will find below the list of security issues fixed in this bugfixes version:

  • [SECURITY - Low] Unauthorized update of configuration
  • [SECURITY - Low] Unauthorized IMAP connection probing
  • [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
  • [SECURITY - High] Stored XSS in asset locks (CVE-2026-42321)
  • [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
  • [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
  • [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)

Many bug fixes have also been made, read the full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

View release on GitHub
11.0.6 Security relevant
Security fixes
  • Server-Side Template Injection (CVE-2026-26026)
  • Stored XSS via Inventory (CVE-2026-26027)
  • Unauthenticated SQL Injection via Search engine (CVE-2026-26263)
View release on GitHub
10.0.24 Security relevant
Security fixes
  • Stored XSS in Supplier (CVE-2026-25932)
  • Authenticated SQL Injection (CVE-2026-29047)
View release on GitHub
11.0.5 Security relevant
Security fixes
  • Session stealing via externally authenticated user change (CVE-2026-23624)
  • Remote Code Execution via malicious file upload (CVE-2026-22248)
  • SSRF via Webhooks (CVE-2026-22247)
View release on GitHub
10.0.23 Security relevant
Security fixes
  • Authenticated SQL Injection (CVE-2026-22044)
  • Session stealing via externally authenticated user change (CVE-2026-23624)
View release on GitHub

Beta — feedback welcome: [email protected]