Vulnerability Description
GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | >= 0.71, < 10.0.18 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/releases/tag/10.0.18Release Notes
- https://github.com/glpi-project/glpi/security/advisories/GHSA-5vvr-pxwf-3w77Vendor Advisory
FAQ
What is CVE-2025-21626?
CVE-2025-21626 is a vulnerability with a CVSS score of 5.8 (MEDIUM). GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Versio...
How severe is CVE-2025-21626?
CVE-2025-21626 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-21626?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.