CVE-2025-24799

HIGH EXPLOITED NUCLEI

Glpi < 10.0.18 - SQL Injection

Title source: rule

Description

GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

Exploits (6)

nomisec WORKING POC 33 stars

by MatheuZSecurity · infoleak

https://github.com/MatheuZSecurity/Exploit-CVE-2025-24799

View Code ZIP pw:eip

nomisec SCANNER 5 stars

by MuhammadWaseem29 · infoleak

https://github.com/MuhammadWaseem29/CVE-2025-24799

View Code ZIP pw:eip

nomisec SCANNER

by airbus-cert · infoleak

https://github.com/airbus-cert/CVE-2025-24799-scanner

View Code ZIP pw:eip

nomisec TROJAN

by Rosemary1337 · poc

https://github.com/Rosemary1337/CVE-2025-24799

View Code ZIP pw:eip

vulncheck_xdb

infoleak

https://github.com/nak000/CVE-2025-24799-sqli

View on vulncheck_xdb

metasploit WORKING POC

by rz, jheysel-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/glpi_inventory_plugin_unauth_sqli.rb

View Code ZIP pw:eip

Nuclei Templates (1)

GLPI < 10.0.17 - Pre-Auth SQL Injection

CRITICALVERIFIEDby ritikchaddha

Shodan: title:"GLPI"

FOFA: title="GLPI"

References (1)

[Vendor Advisory] https://github.com/glpi-project/glpi/security/advisories/GHSA-jv89-g7f7-jwfg

Scores

CVSS v3 7.5

EPSS 0.2884

EPSS Percentile 96.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2025-04-17

CWE

CWE-89

Status published

Products (1)

glpi-project/glpi 10.0.0 - 10.0.18

Published Mar 18, 2025

Tracked Since Feb 18, 2026