- New version 10.0.16
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2024-37148 : Account takeover via SQL Injection in AJAX scripts
 + CVE-2024-37149 : Remote code execution through the plugin loader
 + CVE-2024-37147 : Authenticated file upload to restricted tickets

- New version 10.0.15
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2024-31456 Authenticated SQL injection from map search
 + CVE-2024-29889 Account takeover via SQL Injection in saved searches feature

- New version 10.0.14
- Due to a few regressions in the last (10.0.13), an early release is available.

- New version 10.0.12
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2024-23645 : Reflected XSS in reports pages
 + CVE-2023-51446 : LDAP Injection during authentication ()

- Fix spec (ALT #48856)

- New version 10.0.11
- This release fixes a security issue that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-43813 : Authenticated SQL Injection
 + CVE-2023-46727 : SQL injection through inventory agent request
 + CVE-2023-46726 : Remote code execution from LDAP server configuration form on PHP 7.4
- Deleted glpi-php8.0

- New version 9.5.13
- This release fixes several security issues that have been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-28632 : Account takeover by authenticated user
 + CVE-2023-28838 : SQL injection through dynamic reports
 + CVE-2023-28852 : Stored XSS through dashboard administration
 + CVE-2023-28636 : Stored XSS on external links
 + CVE-2023-28639 : Reflected XSS in search pages
 + CVE-2023-28634 : Privilege Escalation from technician to super-admin
 + CVE-2023-28633 : Blind Server-Side Request Forgery (SSRF) in RSS feeds

- New version 9.5.12
- This release fixes several security issues that has been recently discovered. Update is recommended!
- Security fixes:
 + CVE-2023-22722 : XSS on browse views
 + CVE-2023-22725 : XSS on external links
 + CVE-2023-23610 : Unauthorized access to data export
 + CVE-2022-41941 : Stored XSS inside Standard Interface Help Link href attribute

- New version 9.5.11
- Bugfix for previouys release

- New version 9.5.9
- This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!
- Security fixes:
 + CVE-2022-35945 : XSS through registration API
 + CVE-2022-31143 : Leak of sensitive information through login page error
 + CVE-2022-35914 : [critical] Command injection using a third-party library script
 + CVE-2022-35946 : SQL injection through plugin controller
 + CVE-2022-35947 : [critical] Authentication via SQL injection
 + CVE-2022-36112 : Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning

- New version 9.5.8
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2022-31061 : SQL injection on login page
 + CVE-2022-24868 : XSS / open redirect via SVG file upload
 + CVE-2022-24869 : Cross Site CSS Injection

- New version 9.5.7
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2022-21720 : SQL injection using custom CSS administration form
 + CVE-2022-21719 : Reflected XSS using reload button

- New version 9.5.6
- This is a security release, upgrading is recommended
- Security fixes:
 + CVE-2021-39211 : Disclosure of GLPI and server informations in telemetry endpoint
 + CVE-2021-39210 : Autologin cookie accessible by scripts
 + CVE-2021-39209 : Bypassable CSRF protection on ajax endpoints
 + CVE-2021-39213 : Bypassable IP restriction on GLPI API using custom header injection