CVE-2026-11321
Received Received - Intake

SQL Injection in GLPI DataInjection Plugin

Vulnerability report for CVE-2026-11321, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
glpi datainjection 2.15.6
pluginsglpi datainjection to 2.15.7 (exc)
pluginsglpi datainjection 2.15.7
pluginsglpi datainjection From 2.15.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The DataInjection plugin for GLPI version 2.15.6 and earlier is vulnerable to an authenticated SQL injection attack. This happens because the plugin directly concatenates user-supplied CSV field values into SQL queries during CSV import without proper parameterization or escaping.

An authenticated user with access to the DataInjection feature can embed malicious SQL expressions, such as the SLEEP() function, into a mapped CSV field (for example, the Serial Number field). This allows them to manipulate the generated SQL query and potentially extract sensitive database information using time-based blind SQL injection techniques.

Impact Analysis

This vulnerability can allow an authenticated attacker with access to the DataInjection feature to execute arbitrary SQL commands on the database.

Such exploitation can lead to unauthorized extraction of sensitive data from the database, potentially compromising confidentiality and integrity of the stored information.

Because the attack uses time-based blind SQL injection, it may be used to infer data even if direct error messages or outputs are not available.

Detection Guidance

This vulnerability can be detected by monitoring for unusual SQL query behavior during CSV imports in the DataInjection plugin of GLPI versions 2.15.6 and below. Specifically, look for SQL queries that include unexpected SQL expressions such as SLEEP() embedded in CSV field values.

Since the vulnerability involves time-based blind SQL injection, one detection method is to test the CSV import feature with specially crafted CSV files containing SQL expressions like SLEEP(5) in fields such as Serial Number and observe if the import process delays accordingly, indicating the injection is successful.

Commands or steps to detect the vulnerability might include:

  • Prepare a CSV file with a field containing a payload like: 12345'), SLEEP(5), ('67890
  • Import the CSV file using the DataInjection plugin in GLPI.
  • Observe if the import process takes significantly longer than usual, indicating the SLEEP() function was executed.
  • Check application logs or database logs for suspicious SQL queries containing injected SQL expressions.
Mitigation Strategies

The immediate mitigation step is to upgrade the DataInjection plugin for GLPI to version 2.15.7 or later, where this SQL injection vulnerability has been patched.

Until the upgrade can be applied, restrict access to the DataInjection feature to only trusted and necessary authenticated users to reduce the risk of exploitation.

Additionally, monitor and audit CSV imports for suspicious activity and consider disabling CSV import functionality if it is not required.

Compliance Impact

The vulnerability allows an authenticated user to perform SQL injection attacks that can extract sensitive data from the database.

Such unauthorized data extraction could lead to exposure of personal or protected health information, potentially violating data protection regulations like GDPR and HIPAA.

Therefore, this vulnerability poses a risk to compliance with common standards and regulations that require safeguarding sensitive data against unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart