CVE-2026-25932 — Cross-site Scripting in Glpi

CWE-79 — Cross-site Scripting CWE-116 — Improper Encoding or Escaping of Output8 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 90.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedApr 6

Latest updateApr 13

Description

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶NVDglpi-project/glpi0.60 — 10.0.24

▶CVEListV5glpi-project/glpi>= 0.60, < 10.0.24

🔴Vulnerability Details

VulDB

glpi-project glpi up to 10.0.23 supplier cross site scripting (GHSA-m627-945g-x7xh / Nessus ID 305610)↗2026-04-13

▶

OSV

CVE-2026-25932: GLPI is a Free Asset and IT Management Software package↗2026-04-07

▶

🕵️Threat Intelligence

Wiz

CVE-2026-29047 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26263 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26026 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25932 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26027 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶