CVE-2025-64520 MEDIUM

CVE-2025-64520: GLPI vulnerable to unauthorized access to restricted Knowledge Base items through the API

Vendor Glpi-Project

Product glpi

Weakness CWE-862 · Missing authorization

Published December 16, 2025

Last update December 17, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.

Key dates

02Disclosure timeline

December 16, 2025 CVE published

December 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64520 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-13715 zStore Manager Basic <= 3.311 - Missing Authorization to Authenticated (Subscriber+) Cache Clearing CVE-2025-39559 WordPress Bring Fraktguiden for WooCommerce plugin <= 1.11.4 - Broken Access Control vulnerability CVE-2025-11257 LLM Hubspot Blog Import <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Hubspot Import CVE-2025-15390 PHPGurukul Small CRM edit-user.php authorization CVE-2026-42726 WordPress AWP Classifieds plugin <= 4.4.5 - Broken Access Control vulnerability