CVE-2026-26001— GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-26001
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GLPI Inventory Plugin has SQL Injection on dropdown_calendar Report
Source: NVD (National Vulnerability Database)
Vulnerability Description
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
GLPI Inventory Plugin SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
GLPI Inventory Plugin是法国GLPI开源的一种插件。用于为 GLPI 代理处理各种类型的任务。 GLPI Inventory Plugin 1.6.6之前版本存在SQL注入漏洞,该漏洞源于用户输入清理不当,可能导致SQL注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| glpi-project | glpi-inventory-plugin | < 1.6.6 | - |
II. Public POCs for CVE-2026-26001
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-26001
请登录查看更多情报信息。
Same Patch Batch · glpi-project · 2026-03-17 · 3 CVEs total
| CVE-2026-25937 | 6.5 MEDIUM | GLPI has a MFA bypass |
| CVE-2026-25936 | 6.5 MEDIUM | GLPI Vulnerable to Authenticated SQL Injection |
IV. Related Vulnerabilities
Same product: glpi-inventory-plugin
- CVE-2026-25590
GLPI Inventory Plugin has Reflected XSS in task jobs - CVE-2025-32786
GLPI Inventory Plugin is Vulnerable to Unauthenticated SQL I - CVE-2025-27147
GLPI Inventory plugin has Improper Access Control Vulnerabil - CVE-2025-26626
GLPI Inventory Plugin vulnerable to reflective Cross-site Sc - CVE-2022-31082
SQL Injection via package deployment tasks in glpi-inventory
Same vendor: glpi-project
- CVE-2026-29047
GLPI has an Authenticated SQL Injection via log exports - CVE-2026-26263
GLPI has an Unauthenticated SQL Injection via Search engine - CVE-2026-26027
GLPI has an Unauthenticated Stored XSS via inventory - CVE-2026-26026
GLPI has a Server-Side Template Injection via Double-Compila - CVE-2026-25932
GLPI has Stored XSS in Supplier 'Website' field
Same weakness: CWE-89
- CVE-2021-47941
WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss - CVE-2021-47930
Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthentic - CVE-2021-47928
Opencart TMD Vendor System 3.x Blind SQL Injection via produ - CVE-2026-8231
CodeAstro Online Catering Ordering System deleteorder.php sq - CVE-2025-14179
SQL injection in pdo_firebird via NUL bytes in quoted string
V. Comments for CVE-2026-26001
No comments yet