CVE-2025-66417
Published: 15 January 2026
Summary
CVE-2025-66417 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-66417 is a SQL injection vulnerability (CWE-89) in GLPI, a free asset and IT management software package. The flaw affects versions from 11.0.0 up to but not including 11.0.3, allowing an unauthenticated user to perform SQL injection through the inventory endpoint.
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N), no user interaction (UI:N), and no change in scope (S:U). Successful exploitation enables high confidentiality impact (C:H) with no integrity (I:N) or availability (A:N) disruption, as reflected in its CVSS v3.1 base score of 7.5, potentially allowing attackers to extract sensitive data from the underlying database.
The issue is addressed in GLPI version 11.0.3. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206293
Vulnerability details
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing inventory endpoint of GLPI enables exploitation of public-facing applications for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-66417 by requiring timely flaw remediation through patching to GLPI version 11.0.3.
Prevents SQL injection in the inventory endpoint by validating all untrusted inputs for correctness and malicious content.
Blocks SQL injection payloads by restricting input types, lengths, and formats accepted at the vulnerable inventory endpoint.