SQL Injection Vulnerability in DataInjection Plugin for GLPI by pluginsGLPI
CVE-2026-11321
7.1HIGH
What is CVE-2026-11321?
The DataInjection plugin for GLPI version 2.15.6 is susceptible to SQL injection vulnerabilities due to improper handling of user-supplied CSV field values during import. By concatenating these values directly into SQL queries without proper parameterization or escaping, an authenticated user can craft malicious inputs. This allows for the execution of SQL expressions within mapped fields (e.g., Serial Number), enabling access to sensitive database information through time-based blind injection techniques.
Affected Version(s)
datainjection 2.15.6
