Releases: glpi-project/glpi
11.0.0-beta2
This is a BETA release, do not use in production!
GLPI version 11 major release include many new features and improvements. More information will be available in the coming weeks.
11.0.0-beta
This is a BETA release, do not use in production!
GLPI version 11 major release include many new features and improvements. More information will be available in the coming weeks.
10.0.18
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.18 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - High] Unauthenticated SQL injection through the inventory endpoint (CVE-2025-24799)
- [SECURITY - High] Authenticated Remote code execution (CVE-2025-24801)
- [SECURITY - High] SQL injection through the rules configuration (CVE-2025-21619)
- [SECURITY - Moderate] Open Redirection (CVE-2024-11955)
- [SECURITY - Moderate] Reflected XSS in search page (CVE-2025-21627)
- [SECURITY - Moderate] Exposure of sensitive information in the
status.phpendpoint (CVE-2025-21626) - [SECURITY - Moderate] Plugins disabled by unauthenticated user (CVE-2025-23024)
- [SECURITY - Moderate] Unauthorized authentication by email using the OAuthIMAP plugin (CVE-2025-23046)
- [SECURITY - Moderate] Unauthorized access to debug mode (CVE-2025-25192)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
11.0.0-alpha2
Second alpha for GLPI 11
10.0.17
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.17 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - critical] Unauthenticated session hijacking (CVE-2024-50339)
- [SECURITY - high] Account takeover through SQL injection (CVE-2024-40638)
- [SECURITY - high] Users email enumeration by unauthenticated user (CVE-2024-43416)
- [SECURITY - high] Account takeover without privilege escalation through the API (CVE-2024-47758)
- [SECURITY - high] Account takeover via the password reset feature (CVE-2024-47761)
- [SECURITY - high] Account takeover via API (CVE-2024-47760)
- [SECURITY - high] Insecure account deletion by authenticated user (CVE-2024-48912)
- [SECURITY - moderate] Authenticated SQL Injection (CVE-2024-45608)
- [SECURITY - moderate] Authenticated SQL injection in ticket form (CVE-2024-41679)
- [SECURITY - moderate] Stored XSS in RSS feeds (CVE-2024-45611)
- [SECURITY - moderate] Stored XSS via document upload (CVE-2024-47759)
- [SECURITY - moderate] Multiple reflected XSS (CVE-2024-43417, CVE-2024-43418, CVE-2024-45609, CVE-2024-45610, CVE-2024-41678)
Many bug fixes have also been made, read the full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
11.0.0-alpha
First alpha for GLPI 11
10.0.16
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.16 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - high] Account takeover via SQL Injection in AJAX scripts (CVE-2024-37148)
- [SECURITY - high] Remote code execution through the plugin loader (CVE-2024-37149)
- [SECURITY - moderate] Authenticated file upload to restricted tickets (CVE-2024-37147)
Also, here is a short list of main changes done in this version:
- [FIX] Freesize database field was not correctly migrated
- [FIX] Network inventoried stacked switches had all the same name
- [FIX] Remove monitors from inventory when no monitor is present
- [FIX] Import location hierarchy from LDAP and Inventory
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
10.0.15
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.15 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)
- [SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)
Also, here is a short list of main changes done in this version:
- [FIX] Fix used right by reservation form.
- [FIX] Do not rely on input to apply rules rights.
- [FIX] Always store updated SMTP Oauth refresh token.
- [TASK] Upgrade tinymce.
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.
10.0.14
Due to a few regressions in the last (10.0.13), an early release is available.
Here is the list of corrections made in this version:
- [FIX] Fix assign field when suppliers assign is available
- [FIX] Switching entities issues
You can download the GLPI 10.0.14 archive on GitHub.
Regards.
10.0.13
This is a security release, upgrading is recommended
This release fixes a few security issues that have been recently discovered. Update is recommended!
You can download the GLPI 10.0.13 archive on GitHub.
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - high] SQL Injection in through the search engine (CVE-2024-27096)
- [SECURITY - moderate] Blind SSRF using Arbitrary Object Instantiation (CVE-2024-27098)
- [SECURITY - moderate] Stored XSS in dashboards (CVE-2024-27104)
- [SECURITY - moderate] Reflected XSS in debug mode (CVE-2024-27914)
- [SECURITY - moderate] Sensitive fields access through dropdowns (CVE-2024-27930)
- [SECURITY - moderate] Users emails enumeration (CVE-2024-27937)
Also, here is a short list of main changes done in this version:
- [FIX] Error when creating a Ticket with SLA/OLA.
- [FIX] Weekly recurrent reservations creation does not work.
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.