Nixpkgs security tracker

Untriaged

Permalink CVE-2026-29047

7.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week, 4 days ago

GLPI has an Authenticated SQL Injection via log exports

GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr x_refsource_CONFIRM

Affected products

glpi

==>= 11.0.0-alpha, < 11.0.6
==>= 10.0.0, 10.0.24

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-25932

7.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week, 4 days ago

GLPI has Stored XSS in Supplier 'Website' field

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh x_refsource_CONFIRM

Affected products

glpi

==>= 0.60, < 10.0.24

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-26027

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week, 4 days ago

GLPI has an Unauthenticated Stored XSS via inventory

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp x_refsource_CONFIRM

Affected products

glpi

==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-26026

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week, 4 days ago

GLPI has a Server-Side Template Injection via Double-Compilation

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h x_refsource_CONFIRM

Affected products

glpi

==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-26263

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 week, 4 days ago

GLPI has an Unauthenticated SQL Injection via Search engine

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-346p-qj3v-9rxj x_refsource_CONFIRM

Affected products

glpi

==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-25936

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month ago

GLPI Vulnerable to Authenticated SQL Injection

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-qw3x-7vv2-7759 x_refsource_CONFIRM

Affected products

glpi

==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-25937

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 1 month ago

GLPI has a MFA bypass

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm x_refsource_CONFIRM

Affected products

glpi

==>= 11.0.0, < 11.0.6

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-22248

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month ago

GLPI affected by Remote Code Execution via malicious upload

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-c9q3-mcxq-9vr4 x_refsource_CONFIRM

Affected products

glpi

==>= 11.0.0, < 11.0.5

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.16
- nixpkgs-unstable 1.16
- nixos-unstable-small 1.16
nixos-25.11 1.16
- nixos-25.11-small 1.16
- nixpkgs-25.11-darwin 1.16

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2013-2227

created 1 month, 4 weeks ago

GLPI 0.83.7 has Local File Inclusion in common.tabs.php.

References

https://security-tracker.debian.org/tracker/CVE-2013-2227 x_transferredx_refsource_MISC
https://access.redhat.com/security/cve/cve-2013-2227 x_transferredx_refsource_MISC
http://www.openwall.com/lists/oss-security/2013/06/30/10 x_transferredx_refsource_MISC
http://www.securityfocus.com/bid/60692 x_transferredx_refsource_MISC
https://packetstormsecurity.com/files/122087/GLPI-0.83.7-Parameter-Traversal-Ar… x_transferredx_refsource_MISC

Affected products

GLPI

==0.83.7

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable 1.15
- nixpkgs-unstable 1.15
- nixos-unstable-small 1.15
nixos-25.11 1.15
- nixos-25.11-small 1.15
- nixpkgs-25.11-darwin 1.15

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Untriaged

Permalink CVE-2026-22247

4.1 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 2 months, 1 week ago

GLPI is Vulnerable to SSRF via Webhooks

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x x_refsource_CONFIRM
https://github.com/glpi-project/glpi/releases/tag/11.0.5 x_refsource_MISC

Affected products

glpi

==>= 11.0.0, < 11.0.5

Matching in nixpkgs

pkgs.glpi-agent

GLPI unified Agent for UNIX, Linux, Windows and MacOSX

nixos-unstable -
- nixpkgs-unstable 1.15
nixos-25.11 1.15

Package maintainers

@liberodark liberodark <liberodark@gmail.com>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.glpi-agent

Package maintainers