Plataforma
php
Componente
glpi
Corrigido em
11.0.1
CVE-2026-26026 describes a remote code execution (RCE) vulnerability discovered in GLPI, a free asset and IT management software package. This flaw allows an authenticated administrator to inject malicious templates, leading to arbitrary code execution on the server. The vulnerability affects GLPI versions 11.0.0 through 11.0.5, and a patch is available in version 11.0.6.
Successful exploitation of CVE-2026-26026 grants an attacker complete control over the affected GLPI server. This includes the ability to execute arbitrary commands, access sensitive data stored within the GLPI database (user credentials, asset information, network configurations), and potentially pivot to other systems on the network. Given GLPI's role in IT asset management, a compromised server could expose a wide range of critical infrastructure and data. The impact is particularly severe as the vulnerability requires only administrator privileges, a relatively common role within many organizations.
CVE-2026-26026 was publicly disclosed on 2026-04-06. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation and the potential impact suggest that it is likely to become a target for attackers. Monitor CISA and GLPI advisories for updates.
Organizations heavily reliant on GLPI for asset and IT management are at significant risk. This includes companies with extensive IT infrastructure, those using GLPI for compliance reporting, and those with limited security expertise who may not be aware of the vulnerability or its potential impact. Shared hosting environments running GLPI are also particularly vulnerable due to the potential for cross-tenant exploitation.
• php / server:
find /var/www/html/glpi -name '*.template' -print0 | xargs -0 grep -i 'system(' • php / server:
journalctl -u php-fpm -f | grep -i 'template injection'• generic web:
curl -I https://your-glpi-server/app/templates/ | grep -i 'Content-Type: application/json'disclosure
patch
Status do Exploit
EPSS
0.06% (percentil 19%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-26026 is to immediately upgrade GLPI to version 11.0.6 or later. If upgrading is not immediately feasible, restrict administrator access to GLPI and carefully review any custom templates. Consider implementing a Web Application Firewall (WAF) with rules to detect and block template injection attempts. While a direct detection signature is not readily available, monitor GLPI logs for unusual activity, particularly related to template processing and execution.
Actualice GLPI a la versión 11.0.6 o posterior para mitigar la vulnerabilidad de inyección de plantillas del lado del servidor. Esta actualización corrige la falla permitiendo que las plantillas se compilen correctamente, evitando la ejecución de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-26026 is a critical remote code execution vulnerability in GLPI versions 11.0.0 through 11.0.5. An administrator can exploit it through template injection, potentially gaining full control of the server.
You are affected if you are running GLPI versions 11.0.0 to 11.0.5. Check your GLPI version and upgrade immediately if vulnerable.
Upgrade GLPI to version 11.0.6 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict administrator access and monitor logs.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to become a target. Monitor security advisories.
Refer to the official GLPI security advisory on their website for detailed information and updates: [https://glpi.net/](https://glpi.net/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.