Description
GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Published: 2026-06-03
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a technician to inject an arbitrary JavaScript payload into the asset lock field, which is then stored permanently in the database. When the asset page is viewed, the script executes in the context of any logged‑in user, potentially allowing theft of session cookies, defacement of the web interface, or redirection to malicious sites. This flaw is a classic stored XSS reflected in the CWE‑79 taxonomy and also involves improper handling of character data (CWE‑116).

Affected Systems

GLPI versions starting at 10.0.4 and up to, but not including, 10.0.25 – that is, 10.0.4 through 10.0.24 – are vulnerable. Similarly, all releases of the 11.0 series preceding 11.0.7 (i.e., 11.0.0 through 11.0.6) also remain susceptible. Any deployment running these legacy releases requires an upgrade to 10.0.25 or 11.0.7 to fix the stored XSS flaw.

Risk and Exploitability

With a CVSS score of 8.4 the flaw is considered high severity. No EPSS information is available, and the flaw is not listed in the CISA KEV catalog, but the stored nature of the payload provides a realistic attack vector via the web application. An attacker with technician privileges can enter the payload, and any subsequent user viewing the affected asset will be exposed. The lack of built‑in input validation or sanitization in the asset lock interface is the root cause of this risk.

Generated by OpenCVE AI on June 3, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GLPI to version 10.0.25 or later, or to 11.0.7.
  • If an upgrade cannot be performed immediately, restrict the asset lock feature to a trusted administrator role or disable it for untrusted users.
  • Implement a Content Security Policy (CSP) with a strict script source policy to mitigate the impact of any residual XSS content.

Generated by OpenCVE AI on June 3, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Glpi-project
Glpi-project glpi
Vendors & Products Glpi-project
Glpi-project glpi

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Title GLPI has stored XSS in asset locks
Weaknesses CWE-116
CWE-79
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Glpi-project Glpi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T15:51:58.073Z

Reserved: 2026-04-26T12:37:18.170Z

Link: CVE-2026-42321

cve-icon Vulnrichment

Updated: 2026-06-03T15:51:55.320Z

cve-icon NVD

Status : Deferred

Published: 2026-06-03T16:16:30.003

Modified: 2026-06-04T15:41:35.193

Link: CVE-2026-42321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T18:00:07Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')