Description
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.
Published: 2026-06-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GLPI asset and IT management software contains a stored XSS flaw in ITIL cost records, allowing a malicious script to be stored and later executed when the record is viewed. The vulnerability can enable an attacker to run arbitrary code in the context of logged‑in users, potentially compromising session cookies, sensitive data, or executing actions on behalf of the victim. The weakness is classified as CWE‑79.

Affected Systems

The flaw is present in GLPI versions 11.0.0 through 11.0.6. Management of ITIL costs is performed by users with technician privileges, so any installed instance running one of those versions is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires the attacker to have access to a technician role within GLPI; they can inject the payload into the cost field which is then rendered unescaped when viewed by other users. If an attacker gains such access, the stored script would execute in the browsers of any user who opens the affected ITIL cost record.

Generated by OpenCVE AI on June 3, 2026 at 04:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 11.0.7 or later, which removes the vulnerability
  • Reevaluate technician role permissions to limit creation or modification of ITIL cost records
  • Verify that form input for ITIL costs is properly escaped before rendering to prevent XSS

Generated by OpenCVE AI on June 3, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.
Title GLPI Vulnerable to Stored XSS in ITIL Costs
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T12:41:58.361Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40108

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T23:16:37.627

Modified: 2026-06-02T23:16:37.627

Link: CVE-2026-40108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:15:24Z

Weaknesses