www.it-connect.fr
GLPI Plugins: 15 Flaws Patched, Including a Critical RCE
On June 29, 2026, Teclib' published a security advisory covering several of its community plugins for GLPI. At the top of the vulnerability stack is a critical remote code execution (RCE) flaw in the GenericObject plugin. Here’s what you need to know about these security patches.
Table of Contents
A Critical RCE in GenericObject
This is the vulnerability to address first. According to the advisory published by GLPI, the GenericObject plugin, used to create custom object and asset types in GLPI, is affected by a flaw that can lead to remote code execution. Considered critical, it has a CVSS score of 8.9 out of 10.
A security flaw like this can allow an attacker to execute arbitrary code on the vulnerable GLPI instance. This can have serious consequences for the server, since it hosts a tool that centralizes IT asset inventory and management.
This is truly the update to prioritize.
The Other Vulnerabilities
GenericObject is not the only plugin affected. The security bulletin lists a total of 15 vulnerabilities spread across several community plugins. These range from SQL injection flaws to Cross-Site Scripting (XSS) issues.
Below is the summary table from the GLPI security advisory:
| Plugin | Type de vulnérabilité | CVSS | Gravité | GLPI 10 | GLPI 11 |
|---|---|---|---|---|---|
| GenericObject | Remote Code Execution (RCE) | 8,9 | 🔴 Critical | ✅ | ❌ |
| SQL Injection (SQLi) | 6,1 | 🟡 Medium | ❌ | ✅ | |
| Datainjection | SQL Injection (SQLi) | 7,1 | 🟠 High | ❌ | ✅ |
| Formcreator | Cross-Site Scripting (XSS) | 6,7 | 🟡 Medium | ✅ | ❌ |
| Escalade | Access control flaw | 7,7 | 🟠 High | ✅ | ✅ |
| Credit | Access control flaw | 7,7 | 🟠 High | ✅ | ✅ |
| Fields | Cross-Site Scripting (XSS) | 7,3 | 🟠 High | ❌ | ✅ |
| Order | Cross-Site Scripting (XSS) – 3 failles | 7,3 | 🟠 High | ❌ | ✅ |
| Treeview | Cross-Site Scripting (XSS) | 7,3 | 🟠 High | ❌ | ✅ |
| Tag | Cross-Site Scripting (XSS) | 7,3 | 🟠 High | ❌ | ✅ |
| Oauthimap | Cross-Site Scripting (XSS) | 7,3 | 🟠 High | ❌ | ✅ |
| Glpinventory | Access control flaw | 6,3 | 🟡 Medium | ❌ | ✅ |
| Glpinventory | Cross-Site Scripting (XSS) | 7,3 | 🟠 High | ✅ | ✅ |
As a reminder, just a few days ago Teclib' had already fixed sixteen flaws in GLPI 11.0.8 and 10.0.26, including two critical ones. Now it’s the plugins’ turn to receive a code hardening update.
GLPI Network Cloud Already Patched
Good news for organizations that do not manage their own GLPI instance: all fixes related to these plugins have already been deployed on the GLPI Network Cloud Public and Private platforms. No action is required for instances hosted in these managed environments.
The burden therefore falls mainly on administrators of self-hosted instances. If you manage your own server (for example after following our step-by-step tutorial on installing GLPI on Debian), it is up to you to apply the updates.
