HIGH
pluginsGLPI
CVE published 2026-07-10
CVE-2026-11321
The DataInjection plugin for GLPI 2.15.6 is vulnerable to authenticated SQL injection. During CSV import, user-supplied CSV field values are concatenated directly into SQL queries without parameterization or escaping. An authenticated user with access to the Data injection feature can embed SQL expressions, such as SLEEP(), in a mapped field (e.g., Serial Number) to manipulate the generated query and extr [truncated]