/// ALL POSTS

CVE-2026-22248 - From File Upload to RCE via Unsafe Deserialization

[2026-02-04] | Category: Security Research | Reading time: 20 min

GLPI is an open-source IT asset management software used by thousands of organizations worldwide. I identified a vulnerability chain that allows an authenticated administrator to achieve Remote Code Execution (RCE) via PHP Object Injection in the progress indicator storage mechanism.

CVE-2026-22248 object injection insecure desegrialization rce glpi