Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
Published: 2026-04-06
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Stored cross‑site scripting via inventory endpoint
Action: Patch Immediately
AI Analysis

Impact

GLPI versions 11.0.0 through 11.0.5 contain an unauthenticated stored cross‑site scripting vulnerability that allows a user without authentication to store malicious scripts via the inventory endpoint. The stored payload is rendered later when a user views inventory data, potentially executing arbitrary JavaScript in that user’s browser. Based on the description, it is inferred that any authenticated user who views the affected inventory item would be subject to the script execution, leading to client‑side code execution and possible session hijacking or data theft. This flaw is a typical input validation failure and is classified as CWE-79.

Affected Systems

The vulnerability affects the glpi project’s GLPI asset and IT management software. All releases from version 11.0.0 up to, but not including, 11.0.6 are impacted. Version 11.0.6 and later contain the vendor‑supplied fix.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity. The attack requires no credentials and exploits a publicly reachable endpoint, meaning the effort to attack is low. No publicly documented exploits are listed in the provided data, and the vulnerability is absent from the CISA Known Exploited Vulnerabilities catalog. The EPSS score is not available, preventing a precise approximation of exploitation frequency, but the combination of high severity and low effort still presents a significant risk.

Generated by OpenCVE AI on April 6, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GLPI 11.0.6 or newer to apply the vendor patch
  • If an upgrade cannot be performed immediately, limit access to the inventory endpoint so that only authorized users can add or modify inventory items
  • As a temporary safeguard, implement a content‑security policy or server‑side sanitization of inventory input to block script tags

Generated by OpenCVE AI on April 6, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
Title GLPI has an Unauthenticated Stored XSS via inventory
Weaknesses CWE-116
CWE-306
CWE-79
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T14:51:39.422Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26027

cve-icon Vulnrichment

Updated: 2026-04-06T14:51:34.878Z

cve-icon NVD

Status : Received

Published: 2026-04-06T15:17:07.243

Modified: 2026-04-06T15:17:07.243

Link: CVE-2026-26027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:42Z

Weaknesses