CVE-2026-22821 identifies a SQL injection vulnerability in the mreporting plugin of GLPI, an open-source IT asset management software widely used for reporting purposes. The vulnerability exists in versions prior to 1.9.4 and is triggered when date parameters are changed within the plugin. Due to improper neutralization of special characters in SQL commands (CWE-89), an attacker with authenticated access and high privileges can inject arbitrary SQL code. This can lead to unauthorized disclosure of sensitive information stored in the backend database. The CVSS 3.1 score of 4.9 reflects a medium severity, considering the attack vector is network-based, the attack complexity is low, but requires privileges and no user interaction. The vulnerability does not impact data integrity or availability but compromises confidentiality. No public exploits have been reported to date, and the issue was officially published in February 2026. The fix is included in version 1.9.4 of the mreporting plugin, which properly sanitizes input parameters to prevent injection. Organizations using GLPI with the vulnerable plugin should assess their exposure and apply the patch promptly to prevent potential data leaks.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of sensitive data managed within GLPI environments. Since GLPI is often used by public administrations, enterprises, and managed service providers for IT asset and service management, unauthorized data disclosure could lead to exposure of critical infrastructure details, user information, or internal reporting data. The requirement for authenticated access and high privileges limits the attack surface to insiders or compromised accounts, but the impact remains significant if exploited. Data breaches could result in regulatory penalties under GDPR, reputational damage, and operational disruptions. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with weak access controls or delayed patching. Organizations relying on GLPI for IT management should consider this vulnerability a priority for remediation to maintain compliance and security posture.

The primary mitigation is to upgrade the mreporting plugin to version 1.9.4 or later, where the vulnerability is fixed. Organizations should implement strict access controls to limit the number of users with high privileges capable of exploiting this flaw. Conduct regular audits of user permissions and monitor for unusual database queries or access patterns that could indicate attempted exploitation. Employ network segmentation and firewall rules to restrict access to GLPI management interfaces. Additionally, enable logging and alerting on suspicious activities related to the plugin. If immediate patching is not feasible, consider temporarily disabling the mreporting plugin or restricting its usage to trusted administrators. Finally, incorporate secure coding and input validation practices in customizations or integrations with GLPI to prevent similar injection flaws.