SQL Injection Vulnerability in DataInjection Plugin for GLPI by pluginsGLPI
CVE-2026-11321

7.1HIGH

Key Information:

Vendor
CVE Published:
10 July 2026

What is CVE-2026-11321?

The DataInjection plugin for GLPI version 2.15.6 is susceptible to SQL injection vulnerabilities due to improper handling of user-supplied CSV field values during import. By concatenating these values directly into SQL queries without proper parameterization or escaping, an authenticated user can craft malicious inputs. This allows for the execution of SQL expressions within mapped fields (e.g., Serial Number), enabling access to sensitive database information through time-based blind injection techniques.

Affected Version(s)

datainjection 2.15.6

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ryukk33
.