CVE-2026-11321
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-89
Neutralización incorrecta de elementos especiales usados en un comando SQL (Inyección SQL)
Fecha de publicación:
10/07/2026
Última modificación:
10/07/2026
Descripción
*** Pendiente de traducción *** The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.
Impacto
Puntuación base 4.0
7.10
Gravedad 4.0
ALTA
Puntuación base 3.x
6.40
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/pluginsGLPI/datainjection
- https://github.com/pluginsGLPI/datainjection/releases/tag/2.15.7
- https://github.com/pluginsGLPI/datainjection/security/advisories/GHSA-57qv-j6r6-pcc4
- https://www.vulncheck.com/advisories/glpi-datainjection-plugin-authenticated-sql-injection-via-csv-import



