- New version 11.0.4
- Security fixes:
 + CVE-2026-23624 : Session stealing on externally authenticated user change
 + CVE-2026-22248 : Remote Code Execution via malicious upload
 + CVE-2026-22247 : SSRF via Webhooks

- New version 11.0.4
- Yesterday, 11.0.3 was shipped, but soon after a few annoying regressions has been detected, and so a need for new release.
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2025-64516 : Unauthorized access to documents
 + CVE-2025-66417 : Unauthenticated SQL injection

- New version 11.0.2

- New version 11.0.1

- New version 11.0.0
- Deleted glpi-php8.1

- New version 10.0.20
- Added glpi-php8.4 (ALT #55848)

- New version 3.2.2
- Security fixes:
 + CVE-2025-47286 : Remote Code Execution in the backup creation functionality
 + CVE-2025-49145 : Webhooks: check that callbacks signatures meet the documented expectation

- New version 10.0.19
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2025-27514 : Stored XSS on projects kanban
 + CVE-2025-52567 : Blind SSRF in RSS feeds and planning
 + CVE-2025-52897 : XSS and open redirection in planning
 + CVE-2025-53008 : Mail receiver credentials exfiltration
 + CVE-2025-53357 : Reservations modification by unauthorized user
 + CVE-2025-53113 : Access to unallowed items information through external links
 + CVE-2025-53111 : Data exposure to non allowed users
 + CVE-2025-53112 : Data removal from allowed users
 + CVE-2025-53105 : Unauthorized rules execution order update

- New version 3.2.1.1
- Security fixes:
 + CVE-2024-52601 : Secure Direct Object Reference + prevent Mass Data Leak
 + CVE-2025-24021 : Prevent mass assignment of fields not present in form
 + CVE-2025-24022 : Prevent Portal code injection
 + CVE-2025-24026 : Fix redos in regex (snyk.io)
 + CVE-2024-56157 : Fix self XSS in CSV Import

- New version 10.0.18
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2025-24799 : Unauthenticated SQL injection through the inventory endpoint
 + CVE-2025-24801 : Authenticated Remote code execution
 + CVE-2025-21619 : SQL injection through the rules configuration
 + CVE-2024-11955 : Open Redirection
 + CVE-2025-21627 : Reflected XSS in search page
 + CVE-2025-21626 : Exposure of sensitive information in the status.php endpoint
 + CVE-2025-23024 : Plugins disabled by unauthenticated user
 + CVE-2025-23046 : Unauthorized authentication by email using the OAuthIMAP plugin
 + CVE-2025-25192 : Unauthorized access to debug mode

- New version 3.2.0.2
- Added itop-php8.2
- Added itop-php8.3
- Security fixes:
 + CVE-2023-46734 : Potential XSS vulnerabilities in TWIG CodeExtension filters
 + CVE-2023-45808 : Can create objects in non allowed org by forging http query in both Console and Portal
 + CVE-2023-43790 : XSS in friendlyname in object details
 + CVE-2023-44396 : XSS vulnerabilities in dashlet ajax operations
 + CVE-2023-47626 : Fix stored XSS in authent token
 + CVE-2023-48709 : Fix CSV injection in Excel from an iTop CSV export file
 + CVE-2023-48710 : Limit pages/exec.php script to PHP files
 + CVE-2024-31448 : Fix XSS vulnerability in link CSV import
 + CVE-2024-32870 : itop hub connector Information disclosure

- New version 10.0.17
- Added glpi-php8.3
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2024-50339 : Unauthenticated session hijacking
 + CVE-2024-40638 : Account takeover through SQL injection
 + CVE-2024-43416 : Users email enumeration by unauthenticated user
 + CVE-2024-47758 : Account takeover without privilege escalation through the API
 + CVE-2024-47761 : Account takeover via the password reset feature
 + CVE-2024-47760 : Account takeover via API
 + CVE-2024-48912 : Insecure account deletion by authenticated user
 + CVE-2024-45608 : Authenticated SQL Injection
 + CVE-2024-41679 : Authenticated SQL injection in ticket form
 + CVE-2024-45611 : Stored XSS in RSS feeds
 + CVE-2024-47759 : Stored XSS via document upload
 + CVE-2024-43417 : Reflected XSS
 + CVE-2024-43418 : Reflected XSS
 + CVE-2024-45609 : Reflected XSS
 + CVE-2024-45610 : Reflected XSS
 + CVE-2024-41678 : Reflected XSS

- New version 10.0.16
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2024-37148 : Account takeover via SQL Injection in AJAX scripts
 + CVE-2024-37149 : Remote code execution through the plugin loader
 + CVE-2024-37147 : Authenticated file upload to restricted tickets

- New version 10.0.15
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2024-31456 Authenticated SQL injection from map search
 + CVE-2024-29889 Account takeover via SQL Injection in saved searches feature

- New version 10.0.14
- Due to a few regressions in the last (10.0.13), an early release is available.

- New version 10.0.12
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2024-23645 : Reflected XSS in reports pages
 + CVE-2023-51446 : LDAP Injection during authentication ()

- New version 3.1.1.1
- Security fixes:
 + CVE-2023-48710 : Restrict pages/exec.php to PHP files
 + CVE-2023-48709 : Fix CSV injection in Excel from an iTop CSV export file
 + CVE-2023-46734 : Fix potential XSS vulnerabilities in TWIG CodeExtension filters
 + CVE-2023-47123 : Fix XSS vulnerability in n:n relations "tagset" widget
 + CVE-2023-47622 : Fix XSS vulnerabilities in ajax operations
 + CVE-2023-47626 : Fix XSS vulnerabilities in authent token
 + CVE-2023-44396 : Fix XSS vulnerabilities in dashlet ajax operations
 + CVE-2023-43790 : Fix XSS vulnerabilities in friendlyname in object details
 + CVE-2023-38511 : Fix dashboard allowing to load multiple files and urls
 + CVE-2023-45808 : Fix object creation in non allowed org by forging http query in both Console and Portal

- Fix spec (ALT #48856)

- New version 10.0.11
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-43813 : Authenticated SQL Injection
 + CVE-2023-46727 : SQL injection through inventory agent request
 + CVE-2023-46726 : Remote code execution from LDAP server configuration form on PHP 7.4
- Deleted glpi-php8.0

- New version 10.0.10
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-42802 : Unallowed PHP script execution
 + CVE-2023-41320 : Account takeover via SQL Injection in UI layout preferences
 + CVE-2023-41326 : Account takeover via Kanban feature
 + CVE-2023-41324 : Account takeover through API
 + CVE-2023-42462 : File deletion through document upload process
 + CVE-2023-41321 : Sensitive fields enumeration through API
 + CVE-2023-41322 : Privilege Escalation from technician to super-admin
 + CVE-2023-41323 : Users login enumeration by unauthenticated user
 + CVE-2023-41888 : Phishing through a login page malicious URL
 + CVE-2023-42461 : SQL injection in ITIL actors

- New version 3.1.0.2
- Security fixes:
 + CVE-2022-24894 : Prevent storing cookie headers in HttpCache (Symfony framework vulnerability)
 + CVE-2022-31402 : XSS vulnerability via /itop/webservices/export-v2.php
 + CVE-2022-39261 : Twig lib vulnerability
- Added itop-php8.1
- Deleted itop-php8.0

- New version 10.0.9
- This release fixes several security issues that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-37278 : SQL injection in dashboard administration
- Deleted glpi-php7

- New version 3.0.3
- Security fixes:
 + CVE-2021-46743 : Firebase PHP-JWT key/algorithm type confusion
 + CVE-2022-31403 : XSS vulnerability via /itop/pages/ajax.render.php
 + CVE-2022-31402 : XSS vulnerability via /itop/webservices/export-v2.php
- Added itop-php8.0
- Deleted itop-php7

- New version 10.0.7
- This release fixes several security issues that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-28849 : SQL injection and Stored XSS via inventory agent request
 + CVE-2023-28632 : Account takeover by authenticated user
 + CVE-2023-28838 : SQL injection through dynamic reports
 + CVE-2023-28852 : Stored XSS through dashboard administration
 + CVE-2023-28636 : Stored XSS on external links
 + CVE-2023-28639 : Reflected XSS in search pages
 + CVE-2023-28634 : Privilege Escalation from technician to super-admin
 + CVE-2023-28633 : Blind Server-Side Request Forgery (SSRF) in RSS feeds

- New version 10.0.6
- This release fixes several security issues that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-22500 : Unauthorized access to inventory files
 + CVE-2023-22722 : XSS on browse views
 + CVE-2023-22725 : XSS on external links
 + CVE-2023-22724 : XSS in RSS Description Link
 + CVE-2023-23610 : Unauthorized access to data export
 + CVE-2022-41941 : Stored XSS inside Standard Interface Help Link href attribute
- Added glpi-php8.2

- New version 10.0.4
- This release fixes several security issues that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2022-39276 : Blind SSRF in RSS feeds and planning
 + CVE-2022-39372 : Stored XSS in user information
 + CVE-2022-39373 : Stored XSS in entity name
 + CVE-2022-39376 : Improper input validation on emails links
 + CVE-2022-39370 : Improper access to debug panel
 + CVE-2022-39234 : User's session persist after permanently deleting his account
 + CVE-2022-39262 : Stored XSS on login page
 + CVE-2022-39277 : XSS in external links
 + CVE-2022-39375 : XSS through public RSS feed
 + CVE-2022-39323 : SQL Injection on REST API
 + CVE-2022-39371 : Stored XSS through asset inventory

- New version 10.0.3
- This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!
- Security fixes:
 + CVE-2022-35945 : XSS through registration API
 + CVE-2022-31143 : Leak of sensitive information through login page error
 + CVE-2022-31187 : Stored XSS through global search (CVE-2022-31187)
 + CVE-2022-35914 : [critical] Command injection using a third-party library script
 + CVE-2022-35946 : SQL injection through plugin controller
 + CVE-2022-35947 : [critical] Authentication via SQL injection
 + CVE-2022-36112 : Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning

- New version 10.0.2
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2022-31061 : Unauthenticated SQL injection on login page
 + CVE-2022-31056 : SQL injection on actor part in assistance forms
 + CVE-2022-31068 : Unauthenticated Sensitive Data Exposure on Refused Inventory Files

- New version 10.0.1
- This is a security release, upgrading is recommended
- The GLPI licence has been moved to GPLv3+

- New version 10.0.0
- Added glpi-php8.0
- Added glpi-php8.1

- New version 9.5.7
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2022-21720 : SQL injection using custom CSS administration form
 + CVE-2022-21719 : Reflected XSS using reload button

- New version 9.5.6
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2021-39211 : Disclosure of GLPI and server informations in telemetry endpoint
 + CVE-2021-39210 : Autologin cookie accessible by scripts
 + CVE-2021-39209 : Bypassable CSRF protection on ajax endpoints
 + CVE-2021-39213 : Bypassable IP restriction on GLPI API using custom header injection

- New version 9.5.5
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2021-3486 : Stored XSS in plugins information

- New version 9.5.4
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2021-21326 : Horizontal Privilege Escalation
 + CVE-2021-21255 : entities switch IDOR
 + CVE-2021-21258 : XSS injection in ajax/kanban
 + CVE-2021-21314 : XSS injection on ticket update
 + CVE-2021-21312 : Stored XSS on documents
 + CVE-2021-21313 : XSS on tabs
 + CVE-2021-21325 : Stored XSS in budget type
 + CVE-2021-21327 : Unsafe Reflection in getItemForItemtype()
 + CVE-2021-21324 : Insecure Direct Object Reference (IDOR) on "Solutions"

- New version 9.5.3
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2020-27662 : Insecure Direct Object Reference on ajax/comments.php
 + CVE-2020-27663 : Insecure Direct Object Reference on ajax/getDropdownValue.php
 + CVE-2020-26212 : Any CalDAV calendars is read-only for every authenticated user

- Fixed spec

- New version 9.4.6
- This is a security release, upgrading is highly recommended

- New version 2.6.3
- Security fixes:
+ CVE-2019-19821 : Improper Privilege Management
- Removed Python requirements

- New version 9.4.5

- New version 9.4.2
- This is a security release, upgrading is highly recommended

- New version 9.4.2
- This is a security release, upgrading is highly recommended

- New version 2.6.1

- New version 9.4.1

- New version 2.6.0
- Added PHP7 support
- Deleted PHP5 support
- Deleted Apache1 support

- Deleted glpi-php5

- New version 9.4.0

- Fixed glpi-apache2 postun

- New verion 9.3.3
- PHP7 support

- Delete glpi-apache