This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.18 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] Unauthenticated SQL injection through the inventory endpoint (CVE-2025-24799)
- [SECURITY - High] Authenticated Remote code execution (CVE-2025-24801)
- [SECURITY - High] SQL injection through the rules configuration (CVE-2025-21619)
- [SECURITY - Moderate] Open Redirection (CVE-2024-11955)
- [SECURITY - Moderate] Reflected XSS in search page (CVE-2025-21627)
- [SECURITY - Moderate] Exposure of sensitive information in the
status.phpendpoint (CVE-2025-21626) - [SECURITY - Moderate] Plugins disabled by unauthenticated user (CVE-2025-23024)
- [SECURITY - Moderate] Unauthorized authentication by email using the OAuthIMAP plugin (CVE-2025-23046)
- [SECURITY - Moderate] Unauthorized access to debug mode (CVE-2025-25192)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.