CVE-2025-65035

MEDIUM

pluginsGLPI's Database Inventory Plugin <1.1.2 - Code Injection

Title source: llm

Description

pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions (database write access must first be obtained through another vulnerability or misconfiguration), user-controlled data is stored insecurely in the database via computergroup, and is later unserialized on every page load, allowing arbitrary PHP object instantiation. Version 1.1.2 fixes the issue.

References (3)

[Various Sources] https://github.com/pluginsGLPI/databaseinventory/blob/1.1.2/CHANGELOG.md#112---2025-11-25

[Patch] https://github.com/pluginsGLPI/databaseinventory/commit/08c7055d2c5fc744cb092d7d56a608e359c56f1a

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-xc3r-32rx-3j4j

Scores

CVSS v3 6.4

EPSS 0.0006

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Timeline

Published Dec 19, 2025

Tracked Since Feb 18, 2026