CVE-2026-22248 PHP — Exploit & Vulnerability Details HIGH

CVE-2026-22248

HIGH CVSS 3.1: 8.0 EPSS 0.08%

Parameter	Value
CVSS	8.0 (HIGH)
Affected Versions	before 11.0.5
Fixed In	11.0.5
Type	CWE-502 (Deserialization of Untrusted Data)
Vendor	PHP
Public PoC	No

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

High

Difficult to exploit

Privileges Required

High

Admin privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-502 Deserialization of Untrusted Data

References 1

https://github.com/glpi-project/glpi/security/advisories/GHSA-c9q3-mcxq-9vr4

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32426

PHP

7.5

CVE-2026-32401

PHP

None

CVE-2026-32400

PHP

7.5

CVE-2026-32393

PHP

None

CVE-2026-32392

PHP

None

Menu

CVE-2026-22248

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 1

Related Vulnerabilities

CVE-2026-32426

CVE-2026-32401

CVE-2026-32400

CVE-2026-32393

CVE-2026-32392

CVE Details

Editor's Choice

Menu

CVE-2026-22248

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 1

Related Vulnerabilities

CVE-2026-32426

CVE-2026-32401

CVE-2026-32400

CVE-2026-32393

CVE-2026-32392

CVE Details

Editor's Choice

Stay informed on cybersecurity