CVE-2025-66417
Published: 15 January 2026
Summary
CVE-2025-66417 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing inventory endpoint of GLPI enables exploitation of public-facing applications for data access.
NVD Description
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.
Deeper analysisAI
CVE-2025-66417 is a SQL injection vulnerability (CWE-89) in GLPI, a free asset and IT management software package. The flaw affects versions from 11.0.0 up to but not including 11.0.3, allowing an unauthenticated user to perform SQL injection through the inventory endpoint.
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N), no user interaction (UI:N), and no change in scope (S:U). Successful exploitation enables high confidentiality impact (C:H) with no integrity (I:N) or availability (A:N) disruption, as reflected in its CVSS v3.1 base score of 7.5, potentially allowing attackers to extract sensitive data from the underlying database.
The issue is addressed in GLPI version 11.0.3. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9.
Details
- CWE(s)