Home

Description

The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

PUBLISHED Reserved 2026-06-04 | Published 2026-07-10 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

MEDIUM: 6.4CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
affected

2.15.6 (semver) before 2.15.7
affected

Credits

ryukk33 finder

References

github.com/...ection/security/advisories/GHSA-57qv-j6r6-pcc4 (GitHub Security Advisory GHSA-57qv-j6r6-pcc4) vendor-advisory

github.com/pluginsGLPI/datainjection/releases/tag/2.15.7 (DataInjection 2.15.7 Release) patch

github.com/pluginsGLPI/datainjection (Product) product

www.vulncheck.com/...henticated-sql-injection-via-csv-import third-party-advisory

cve.org (CVE-2026-11321)

nvd.nist.gov (CVE-2026-11321)

Download JSON