CVE-2023-36808

HIGH

GLPI 0.80-10.0.7 - SQL Injection via Computer Virtual Machine Form and Inventory Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-36808. PoCs published by fransosiche.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-36808, an unauthenticated SQL injection vulnerability in GLPI versions < 10.0.10. The exploit uses time-based blind SQL injection with binary search to efficiently extract data from the database.

Description

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

Exploits (1)

nomisec WORKING POC
by fransosiche · poc
https://github.com/fransosiche/exploit-cve-2023-36808

This repository contains a functional exploit for CVE-2023-36808, an unauthenticated SQL injection vulnerability in GLPI versions < 10.0.10. The exploit uses time-based blind SQL injection with binary search to efficiently extract data from the database.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: GLPI < 10.0.10
No auth needed
Prerequisites: Network access to the target GLPI instance
mistral-large-3 · analyzed Jun 10, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.6
EPSS 0.4756
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
glpi-project/glpi 0.80 - 10.0.8
Published Jul 05, 2023
Tracked Since Feb 18, 2026