CVE-2025-21626

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-21626

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21626.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-21626

Aliases

GHSA-5vvr-pxwf-3w77

Downstream

UBUNTU-CVE-2025-21626

Published

2025-02-25T15:37:27.689Z

Modified

2026-04-10T05:22:32.943722Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

GLPI vulnerable to exposure of sensitive information in the `status.php` endpoint

Details

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the status.php endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the status.php file, restrict its access, or remove any sensitive values from the name field of the active LDAP directories, mail servers authentication providers and mail receivers.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21626.json"
}

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

b64f35c04d55c517c424c8feaf5bbfa9bae4e3ff

Fixed

9389461d8a207bdcdf4f50f9db9fc8acdf6c7bbf

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21626.json"