← volver
CVE-2026-13490

glpi-project glpi Document document.send.php canViewFile authorization

CVSS 6.3 MEDIUMCWE-285CWE-639
Vexday Risk Score
10Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.3EPSS KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
28 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be executed remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
Productos afectados
glpi-project · glpi

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://vuldb.com/cve/CVE-2026-13490https://vuldb.com/submit/838225https://vuldb.com/vuln/374487https://vuldb.com/vuln/374487/cti