Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
Published: 2026-04-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an unauthenticated user to inject a malicious script into a GLPI instance through the inventory endpoint. The stored payload is saved and later rendered in the browser of any user who views the affected page, permitting the attacker to steal session cookies, deface content, or execute arbitrary actions in the context of the victim. The weakness arises because the application fails to encode or filter the data before storage, matching the CWE‑79 classification.

Affected Systems

GLPI, the open‑source asset and IT management application from the glpi‑project. Versions from 11.0.0 up to, but not including, 11.0.6 are affected. All installations that expose the inventory interface without requiring authentication are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. With an EPSS score below 1 % the probability of public exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. However, the flaw can be exercised trivially by anyone who can access the GLPI web interface and does not need privileged credentials. Attackers simply need to submit a crafted payload to the inventory form and then lure another user to view the stored data.

Generated by OpenCVE AI on April 7, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 11.0.6 or later.
  • If upgrading is not immediately possible, block unauthenticated access to the inventory endpoint or restrict it to privileged users only.
  • As a temporary measure, sanitize or escape all data stored in inventory fields before rendering it to reduce the risk of script execution.
  • Regularly review the GLPI security advisories and apply subsequent patches as they become available.

Generated by OpenCVE AI on April 7, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
Title GLPI has an Unauthenticated Stored XSS via inventory
Weaknesses CWE-116
CWE-306
CWE-79
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T03:55:40.983Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26027

cve-icon Vulnrichment

Updated: 2026-04-06T14:51:34.878Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T15:17:07.243

Modified: 2026-04-07T16:02:54.217

Link: CVE-2026-26027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:50Z

Weaknesses