CVE-2025-65035 MEDIUM

CVE-2025-65035: GLPI Database Inventory Plugin Vulnerable to Stored Object Injection

Vendor Pluginsglpi
Product databaseinventory
Weakness CWE-502 · Unsafe deserialization
Published December 19, 2025
Last update December 19, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions (database write access must first be obtained through another vulnerability or misconfiguration), user-controlled data is stored insecurely in the database via computergroup, and is later unserialized on every page load, allowing arbitrary PHP object instantiation. Version 1.1.2 fixes the issue.

Key dates

02Disclosure timeline

December 19, 2025 CVE published
December 19, 2025 Record updated