CVE-2025-32786 - Vulnerability Details - OpenCVE

The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Glpi-project	Glpi Inventory

No data.

No data.

References

Link	Providers
https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md
https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1
https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq

History

Wed, 05 Nov 2025 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 05 Nov 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Glpi-project Glpi-project glpi Inventory
Vendors & Products		Glpi-project Glpi-project glpi Inventory

Tue, 04 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
Description		The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1.
Title		GLPI Inventory Plugin is Vulnerable to Unauthenticated SQL Injection
Weaknesses		CWE-89
References		https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1 https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-11-04T20:18:43.581Z

Updated: 2025-11-05T18:48:29.572Z

Reserved: 2025-04-10T12:51:12.280Z

Link: CVE-2025-32786

Vulnrichment

Updated: 2025-11-04T20:42:46.159Z

NVD

Status : Awaiting Analysis

Published: 2025-11-04T21:15:36.663

Modified: 2025-11-06T19:45:30.990

Link: CVE-2025-32786

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-32786", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-10T12:51:12.280Z", "datePublished": "2025-11-04T20:18:43.581Z", "dateUpdated": "2025-11-05T18:48:29.572Z"}, "containers": {"cna": {"title": "GLPI Inventory Plugin is Vulnerable to Unauthenticated SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq"}, {"name": "https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md"}, {"name": "https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1"}], "affected": [{"vendor": "glpi-project", "product": "glpi-inventory-plugin", "versions": [{"version": "< 1.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-04T20:18:43.581Z"}, "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1."}], "source": {"advisory": "GHSA-w2cp-r675-6xpq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T20:42:43.006662Z", "id": "CVE-2025-32786", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T18:48:29.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32786", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T20:42:43.006662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T20:42:46.159Z"}}], "cna": {"title": "GLPI Inventory Plugin is Vulnerable to Unauthenticated SQL Injection", "source": {"advisory": "GHSA-w2cp-r675-6xpq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi-inventory-plugin", "versions": [{"status": "affected", "version": "< 1.5.1"}]}], "references": [{"url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq", "name": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-w2cp-r675-6xpq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md", "name": "https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.1/CHANGELOG.md", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1", "name": "https://github.com/glpi-project/glpi-inventory-plugin/releases/tag/1.5.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Versions 1.5.0 and below are vulnerable to SQL Injection. This issue is fixed in version 1.5.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-04T20:18:43.581Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32786", "state": "PUBLISHED", "dateUpdated": "2025-11-05T18:48:29.572Z", "dateReserved": "2025-04-10T12:51:12.280Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-04T20:18:43.581Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}