PatchSiren

pluginsGLPI CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH pluginsGLPI CVE published 2026-07-10

CVE-2026-11321

The DataInjection plugin for GLPI 2.15.6 is vulnerable to authenticated SQL injection. During CSV import, user-supplied CSV field values are concatenated directly into SQL queries without parameterization or escaping. An authenticated user with access to the Data injection feature can embed SQL expressions, such as SLEEP(), in a mapped field (e.g., Serial Number) to manipulate the generated query and extr [truncated]