CVE-2025-21626 Information

Description

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18 an anonymous user can fetch sensitive information from the status.php endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the status.php file restrict its access or remove any sensitive values from the name field of the active LDAP directories mail servers authentication providers and mail receivers.

Reference

https://github.com/glpi-project/glpi/releases/tag/10.0.18 https://github.com/glpi-project/glpi/security/advisories/GHSA-5vvr-pxwf-3w77