CVE-2026-26263
Published: 06 April 2026
Summary
CVE-2026-26263 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of system flaws like this SQL injection vulnerability through patching to version 11.0.6.
SI-10 mandates validation of information inputs such as search engine queries to block malicious SQL injection payloads before database execution.
RA-5 involves regular vulnerability scanning to identify and remediate SQL injection flaws in the GLPI search engine.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated blind SQL injection in the network-accessible Search engine component of GLPI directly matches exploitation of a public-facing web application (T1190), enabling data inference/manipulation with high confidentiality/integrity/availability impact.
NVD Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Deeper analysisAI
CVE-2026-26263 is an unauthenticated time-based blind SQL injection vulnerability (CWE-89) in the Search engine component of GLPI, a free asset and IT management software package. It affects GLPI versions from 11.0.0 up to but not including 11.0.6. Published on 2026-04-06, the vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite elevated exploitation complexity.
Unauthenticated attackers with network access can exploit this flaw by crafting malicious inputs to the Search engine, leveraging time-based blind SQL injection techniques to infer and manipulate database contents. Exploitation enables high-impact outcomes on confidentiality, integrity, and availability, such as unauthorized data extraction, modification, or disruption of IT asset management functions.
The vulnerability is addressed in GLPI version 11.0.6. For mitigation details, including patch deployment and verification steps, refer to the official advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-346p-qj3v-9rxj.
Details
- CWE(s)