A new GLPI version is available.
This release fixes a few security issues that have been recently discovered. The update is recommended!
You can download the GLPI 10.0.18 archive on GitHub.
You will find below the list of security issues fixed (none CRITICAL level) in this bugfixes version:
- Unauthenticated SQL injection through the inventory endpoint (CVE-2025-24799)
- Authenticated Remote code execution (CVE-2025-24801)
- SQL injection through the rules configuration (CVE-2025-21619)
- Open Redirection (CVE-2024-11955)
- Reflected XSS in search page (CVE-2025-21627)
- Exposure of sensitive information in the `status.php` endpoint (CVE-2025-21626)
- Plugins disabled by unauthenticated user (CVE-2025-23024)
- Unauthorized authentication by email using the OAuthIMAP plugin (CVE-2025-23046)
- Unauthorized access to debug mode (CVE-2025-25192)
Many bug fixes have also been made, read the full changelog for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.