CVE-2026-22821 - Vulnerability Details - OpenCVE

mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72
https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8

History

Thu, 12 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4.
Title		mreporting affected by a SQLI on date change
Weaknesses		CWE-89
References		https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72 https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-12T18:43:59.249Z

Updated: 2026-02-12T19:31:55.400Z

Reserved: 2026-01-09T22:50:10.289Z

Link: CVE-2026-22821

Vulnrichment

Updated: 2026-02-12T19:31:43.492Z

NVD

Status : Received

Published: 2026-02-12T19:15:51.883

Modified: 2026-02-12T19:15:51.883

Link: CVE-2026-22821

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22821", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.289Z", "datePublished": "2026-02-12T18:43:59.249Z", "dateUpdated": "2026-02-12T19:31:55.400Z"}, "containers": {"cna": {"title": "mreporting affected by a SQLI on date change", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8"}, {"name": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72", "tags": ["x_refsource_MISC"], "url": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72"}], "affected": [{"vendor": "pluginsGLPI", "product": "mreporting", "versions": [{"version": "< 1.9.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T18:43:59.249Z"}, "descriptions": [{"lang": "en", "value": "mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4."}], "source": {"advisory": "GHSA-24q7-h59q-33w8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T19:25:10.709903Z", "id": "CVE-2026-22821", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T19:31:55.400Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22821", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T19:25:10.709903Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T19:31:43.492Z"}}], "cna": {"title": "mreporting affected by a SQLI on date change", "source": {"advisory": "GHSA-24q7-h59q-33w8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pluginsGLPI", "product": "mreporting", "versions": [{"status": "affected", "version": "< 1.9.4"}]}], "references": [{"url": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8", "name": "https://github.com/pluginsGLPI/mreporting/security/advisories/GHSA-24q7-h59q-33w8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72", "name": "https://github.com/pluginsGLPI/mreporting/commit/6f4a3caf9c1f7bbed1d910795d6e918d039f1f72", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is a possible SQL injection on date change. This vulnerability is fixed in 1.9.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T18:43:59.249Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22821", "state": "PUBLISHED", "dateUpdated": "2026-02-12T19:31:55.400Z", "dateReserved": "2026-01-09T22:50:10.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T18:43:59.249Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}