This page lists publicly disclosed CVE vulnerabilities affecting glpi-project glpi_inventory (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-26001 | The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, non sanitized user input can lend to an SQL injection from reports, with adequate rights. This vulnerability is fixed in 1.6.6. | [email protected] | 7.1 | 0.21% | 2026-03-17 | 2026-06-17 |
| CVE-2026-25590 | The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6. | [email protected] | 4.5 | 0.17% | 2026-03-03 | 2026-06-17 |
| CVE-2022-31082 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` featu | [email protected] | 5.8 | 0.94% | 2022-06-27 | 2026-06-17 |
| CVE-2022-31062 | ### Impact A plugin public script can be used to read content of system files. ### Patches Upgrade to version 1.0.2. ### Workarounds `b/deploy/index.php` file can be deleted if deploy feature is not used. | [email protected] | 5.3 | 5.63% | 2022-06-20 | 2026-06-17 |