teclib-edition 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk input validation, and パス処理の欠陥 に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact unexpected behavior and vendor impact session compromise などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-25937 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue. | [email protected] | 6.5 | 0.03% | 2026-03-18 | 2026-03-23 |
| CVE-2026-25936 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue. | [email protected] | 6.5 | 0.05% | 2026-03-17 | 2026-03-19 |
| CVE-2026-23489 | Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3. | [email protected] | 9.1 | 0.06% | 2026-03-16 | 2026-03-18 |
| CVE-2026-22248 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5. | [email protected] | 8.0 | 0.26% | 2026-03-11 | 2026-03-20 |
| CVE-2023-33971 | Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of `##FULLFORM##` for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround, one may use a regular expression to remove `< > "` in all fields. | [email protected] | 6.1 | 0.45% | 2023-05-31 | 2024-11-21 |
| CVE-2023-28855 | Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue. | [email protected] | 6.5 | 0.23% | 2023-04-05 | 2024-11-21 |
| CVE-2021-39190 | The SCCM plugin for GLPI is a plugin to synchronize computers from SCCM (version 1802) to GLPI. In versions prior to 2.3.0, the Configuration page is publicly accessible in read-only mode. This issue is patched in version 2.3.0. No known workarounds exist. | [email protected] | 5.3 | 0.19% | 2022-09-22 | 2024-11-21 |
| CVE-2021-43779 | GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command injection abuse of functionality. There is no workaround for this issue and users are advised to upgrade or to disable the addressing plugin. | [email protected] | 9.9 | 10.49% | 2022-01-05 | 2025-09-08 |
| CVE-2019-12724 | An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. It allows a stored XSS attack via the $_POST['name'] parameter. | [email protected] | 6.1 | 0.31% | 2019-07-10 | 2024-11-21 |
| CVE-2019-12723 | An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user. | [email protected] | 9.8 | 0.65% | 2019-07-10 | 2024-11-21 |
| CVE-2019-10232 | Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php. | [email protected] | 9.8 | 85.87% | 2019-03-27 | 2024-11-21 |
| CVE-2019-10231 | Teclib GLPI before 9.4.1.1 is affected by a PHP type juggling vulnerability allowing bypass of authentication. This occurs in Auth::checkPassword() (inc/auth.class.php). | [email protected] | 9.8 | 0.49% | 2019-03-27 | 2024-11-21 |
| CVE-2018-7289 | An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI. This happens because characters that cannot be converted from Unicode are replaced with '?' characters. | [email protected] | 3.3 | 2.00% | 2018-02-21 | 2024-11-21 |