GLPI 11 stable will be released on 1st October 🚀

GLPI 11 stable will be released on 1st October 🚀

by | Sep 5, 2025 | News

As you know, GLPI 11 has now reached the Release Candidate stage. 

This means no more new features will be added; the focus is now on bug fixing, and completing translations. The version is feature-ready, and we’re very close to the stable release.


GLPI 11 stable will be released on 1st October 🎉

You can already explore what’s coming in this major version by checking out the full changelog, but here are a few highlights:

  • Native custom assets 
  • Integrated forms
  • A new self-service portal
  • 2FA
  • Webhooks
  • and more…

To help us make this release as solid as possible, we need the community’s support!

Here’s how you can contribute:

A last note, all plugins supported by us are currently available and can be tested along this new GLPI version. We invite plugin developers from the community to also port theirs. A guide listing the important changes in the framework is available.

Every contribution, brings us closer to delivering the best possible 11.0 version to everyone. 

Thank you for being part of our GLPI community!

GLPI 10.0.19 is released!

by | Jul 16, 2025 | News

A new GLPI version is available.

Many bug fixes have also been made, read the full changelog for more details.

You can download the GLPI 10.0.19 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

  • Stored XSS on projects kanban (CVE-2025-27514)
  • Blind SSRF in RSS feeds and planning (CVE-2025-52567)
  • XSS and open redirection in planning (CVE-2025-52897)
  • Mail receiver credentials exfiltration (CVE-2025-53008)
  • Reservations modification by unauthorized user (CVE-2025-53357)
  • Access to unallowed items information through external links (CVE-2025-53113)
  • Data exposure to non allowed users (CVE-2025-53111)
  • Data removal from allowed users (CVE-2025-53112)
  • Unauthorized rules execution order update (CVE-2025-53105)

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Download GLPI

GLPI Release 10.0.17

by | Nov 6, 2024 | News

A new GLPI version is available!

This release fixes a few security issues that have been recently discovered. The update is recommended!

You can download the GLPI 10.0.17 archive on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

  • Unauthenticated session hijacking (CVE-2024-50339)
  • Account takeover through SQL injection (CVE-2024-40638)
  • Users email enumeration by unauthenticated user (CVE-2024-43416)
  • Account takeover without privilege escalation through the API (CVE-2024-47758)
  • Account takeover via the password reset feature (CVE-2024-47761)
  • Account takeover via API (CVE-2024-47760)
  • Insecure account deletion by authenticated user (CVE-2024-48912)
  • Authenticated SQL Injection (CVE-2024-45608)
  • Authenticated SQL injection in ticket form (CVE-2024-41679)
  • Stored XSS in RSS feeds (CVE-2024-45611)
  • Stored XSS via document upload (CVE-2024-47759)
  • Multiple reflected XSS (CVE-2024-43417, CVE-2024-43418, CVE-2024-45609, CVE-2024-45610, CVE-2024-41678)

Many bug fixes have also been made, read the full changelog for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.

Follow us on our social media!

Follow us!

New GLPI version 10.0.3

by | Sep 14, 2022 | News

A new GLPI version is available.

This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!

You can download the GLPI 10.0.3 archive on GitHub.
Exceptionally, as we have critical security issues that affects GLPI 9.5, we also release a GLPI 9.5.9 archive.

You’ll find below the list of security issues fixed in this bugfixes version:

  • XSS through registration API (CVE-2022-35945)
  • Leak of sensitive information through login page error (CVE-2022-31143)
  • Stored XSS through global search (CVE-2022-31187)
  • Command injection using a third-party library script (CVE-2022-35914)
  • SQL injection through plugin controller (CVE-2022-35946)
  • Authentication via SQL injection (CVE-2022-35947)
  • Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning (CVE-2022-36112)

Also, here is a short list of main changes done in this version:

  • More precise rights checks on inventory (#12610)
  • Display of last inventoried value for locked fields (#12602)
  • Permit to use rules to add computers as virtual machines (#12572)
  • Delegate session cookies security to sysadmin (#12302)
  • Prevent collector failure on invalid mail header (#12232)
  • Many fixes on network inventory

The full changelog is available for more details.

We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!

Regards.