CVE-2025-24799

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.18

Description GLPI is an asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This allows an attacker to execute arbitrary SQL commands. A major data breach at Eurofiber France, impacting over 3,600 clients including Thales, Orange, and French ministries, was attributed to exploitation of this flaw. The vulnerability is exploitable through the /inventory API endpoint, where the input to SQL queries is not properly sanitized. The inventory endpoint is vulnerable to SQL injection due to improper handling of user-supplied data.

Recommendations Update GLPI to version 10.0.18 or later.