CVE-2026-42317
Received Received - Intake
Arbitrary File Deletion in GLPI IT Management Software

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-03
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-42317
EUVD
EUVD-2026-34105
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
glpi_project glpi From 0.78 (inc) to 11.0.0 (exc)
glpi_project glpi 10.0.25
glpi_project glpi 11.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-42317 is a high-severity vulnerability in GLPI, an open-source IT asset management software. It allows a technician with sufficient privileges to delete arbitrary files on the filesystem, as long as the webserver has write permissions on those files.

This vulnerability affects all versions of GLPI from 0.78 up to, but not including, 11.0.0, as well as versions 11.0.0 and above. It has been patched in versions 10.0.25 and 11.0.7.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability impact me? :

The vulnerability can lead to high integrity and availability loss for the affected system because a privileged technician can delete arbitrary files on the filesystem.

The attack vector is network-based, requires high privileges, but does not require user interaction.

Confidentiality is not affected by this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade GLPI to version 10.0.25 or 11.0.7 or later, as these versions contain the patch that fixes the arbitrary file deletion issue.

Ensure that the webserver does not have unnecessary write permissions on critical files to reduce the risk of exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart