Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: glpi-agent

Found 9 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-32312
5.1 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 5 days, 6 hours ago Activity log
  • Created suggestion 5 days, 6 hours ago
GLPI: Unauthorized export of form structure

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.7

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.17
    • nixpkgs-unstable 1.17
    • nixos-unstable-small 1.17
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-25932
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse dismissed (not in Nixpkgs) 1 month, 2 weeks ago
GLPI has Stored XSS in Supplier 'Website' field

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.

Affected products

glpi
  • ==>= 0.60, < 10.0.24

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Untriaged
Permalink CVE-2026-26027
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
GLPI has an Unauthenticated Stored XSS via inventory

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Untriaged
Permalink CVE-2026-29047
7.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
GLPI has an Authenticated SQL Injection via log exports

GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.

Affected products

glpi
  • ==>= 10.0.0, 10.0.24
  • ==>= 11.0.0-alpha, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Untriaged
Permalink CVE-2026-26026
9.1 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
GLPI has a Server-Side Template Injection via Double-Compilation

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Untriaged
Permalink CVE-2026-26263
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 1 month, 2 weeks ago Activity log
  • Created suggestion 1 month, 2 weeks ago
GLPI has an Unauthenticated SQL Injection via Search engine

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Untriaged
Permalink CVE-2026-25937
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
GLPI has a MFA bypass

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Untriaged
Permalink CVE-2026-25936
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
GLPI Vulnerable to Authenticated SQL Injection

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers

Untriaged
Permalink CVE-2026-22248
8.0 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 2 months, 1 week ago Activity log
  • Created suggestion 2 months, 1 week ago
GLPI affected by Remote Code Execution via malicious upload

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.

Affected products

glpi
  • ==>= 11.0.0, < 11.0.5

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

  • nixos-unstable 1.16
    • nixpkgs-unstable 1.16
    • nixos-unstable-small 1.16
  • nixos-25.11 1.16
    • nixos-25.11-small 1.16
    • nixpkgs-25.11-darwin 1.16

Package maintainers