Description
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.
Published: 2026-03-03
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (CWE‑79)
Action: Apply Patch
AI Analysis

Impact

The GLPI Inventory Plugin manages network discovery, inventory, software deployment and data collection for GLPI agents. It contains a reflected XSS flaw in the task jobs page that exists before version 1.6.6. An attacker can inject malicious scripts into the URL or form fields associated with task jobs, causing the browser of anyone who views the page to execute arbitrary JavaScript. This vulnerability is cataloged as CWE‑79 and, while it does not grant direct code execution on the server, it can facilitate phishing, cookie theft or other client‑side attacks.

Affected Systems

The flaw affects all releases of the GLPI Inventory Plugin older than 1.6.6. Versions 1.6.6 and newer contain the fix. The affected product is the glpi-project glpi-inventory-plugin, and the issue is documented by the GLPI project and disclosed on GitHub.

Risk and Exploitability

The CVSS score of 4.5 indicates moderate impact, and the EPSS score of less than 1% shows low exploitation probability as of the current data. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted URL or form input that a victim visits or submits, which allows an attacker to inject JavaScript into the task jobs page. The flaw requires a victim to open the page; no privileged access is necessary, so it can be exploited via social engineering or phishing campaigns.

Generated by OpenCVE AI on April 16, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GLPI Inventory Plugin to version 1.6.6 or later.
  • If an immediate upgrade is not feasible, restrict access to the task jobs page to trusted users or disable the feature until a patch is available.
  • Deploy Web Application Firewall rules to block payloads containing script tags or encoded JavaScript in task job inputs.

Generated by OpenCVE AI on April 16, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi_inventory:*:*:*:*:*:*:*:*

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi Inventory
Vendors & Products Glpi-project
Glpi-project glpi Inventory

Tue, 03 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.
Title GLPI Inventory Plugin has Reflected XSS in task jobs
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Glpi-project Glpi Inventory
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:52:27.907Z

Reserved: 2026-02-03T01:02:46.716Z

Link: CVE-2026-25590

cve-icon Vulnrichment

Updated: 2026-03-04T16:52:24.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:53.800

Modified: 2026-03-05T21:23:06.057

Link: CVE-2026-25590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses