CVE-2025-52897 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Glpi

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-601 — Open Redirect2 documents2 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 70.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedJul 30

Description

GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDglpi-project/glpi9.1.0 — 10.0.19

▶CVEListV5glpi-project/glpi>= 9.1.0, < 10.0.19

🔴Vulnerability Details

OSV

CVE-2025-52897: GLPI is a Free Asset and IT Management Software package↗2025-07-30

▶