A new GLPI version is available.
Many bug fixes have also been made, read the full changelog for more details.
You can download the GLPI 10.0.19 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- Stored XSS on projects kanban (CVE-2025-27514)
- Blind SSRF in RSS feeds and planning (CVE-2025-52567)
- XSS and open redirection in planning (CVE-2025-52897)
- Mail receiver credentials exfiltration (CVE-2025-53008)
- Reservations modification by unauthorized user (CVE-2025-53357)
- Access to unallowed items information through external links (CVE-2025-53113)
- Data exposure to non allowed users (CVE-2025-53111)
- Data removal from allowed users (CVE-2025-53112)
- Unauthorized rules execution order update (CVE-2025-53105)
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!