Description
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
Published: 2026-04-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Patch
AI Analysis

Impact

GLPI is a free asset and IT management software. Versions from 0.60 up to, but not including, 10.0.24 allow an authenticated technician to store malicious scripts in the supplier "Website" field. When that field is viewed, the stored payload is rendered, granting the attacker the ability to deface pages, hijack sessions, or exfiltrate data. This constitutes a CWE-79 vulnerability and involves encoding issues (CWE-116).

Affected Systems

GLPI Project GLPI, any version earlier than 10.0.24. The vulnerability can be exploited by users with technician‑level edit permissions on supplier records.

Risk and Exploitability

The CVSS score is 7.2, reflecting a high severity. The EPSS score is below 1% and the issue is not listed in KEV, indicating limited known exploitation. However, because the exploit only requires local authenticated access, it is relatively easy for any technician with edit rights to inject a payload, potentially impacting many users who view the supplier information.

Generated by OpenCVE AI on April 7, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 10.0.24 or later

Generated by OpenCVE AI on April 7, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
Title GLPI has Stored XSS in Supplier 'Website' field
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T13:07:09.230Z

Reserved: 2026-02-09T16:22:17.786Z

Link: CVE-2026-25932

cve-icon Vulnrichment

Updated: 2026-04-07T13:07:06.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T15:17:06.907

Modified: 2026-04-07T16:04:32.123

Link: CVE-2026-25932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:53Z

Weaknesses