CVE-2026-25937

Published: Mar 18, 2026Modified: Mar 23, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.2 / Impact: 5.2

Source: security-advisories@github.com (Secondary)

Description

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

Affected (1)

Products: Teclib Edition: Glpi

Teclib Edition

1 product

Glpi

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Teclib Edition Glpi	From 11.0.0 to 11.0.6

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (1)

https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.