CVE-2026-42318

HIGH

GLPI Vulnerable to Arbitrary Item Deletion via Planning Endpoint

Title source: cna

Description

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/glpi-project/glpi/security/advisories/GHSA-w7mr-3vwm-2j22

Scores

CVSS v4 7.0

EPSS 0.0029

EPSS Percentile 20.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-862

Status published

Products (2)

glpi-project/glpi >= 11.0.0, < 11.0.7

glpi-project/glpi >= 9.5.0, < 10.0.25

Published Jun 03, 2026

Tracked Since Jun 03, 2026