CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-11321

mediumCVSS 6.4covered by 1 sourcefirst seen 2026-07-10
The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embed SQL expressions such as SLEEP() in a mapped field (for example Serial Number) to manipulate the generated query and extract database information via time-based blind injection.

⚡ Watch CVE-2026-11321

Get an email if CVE-2026-11321 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-11321

CVE.org record

Embed the live status

CVE-2026-11321 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-11321 status](https://www.csirts.com/badge/CVE-2026-11321)](https://www.csirts.com/cve/CVE-2026-11321)