CVE-2026-26027 — Cross-site Scripting in Glpi

CWE-79 — Cross-site Scripting CWE-116 — Improper Encoding or Escaping of Output CWE-306 — Missing Authentication for Critical Function8 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 86.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedApr 6

Latest updateApr 13

Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDglpi-project/glpi11.0.0 — 11.0.6

▶CVEListV5glpi-project/glpi>= 11.0.0, < 11.0.6

🔴Vulnerability Details

VulDB

glpi-project glpi up to 11.0.5 Inventory Endpoint cross site scripting (GHSA-chch-wcm9-f9cp / Nessus ID 305612)↗2026-04-13

▶

OSV

CVE-2026-26027: GLPI is a free asset and IT management software package↗2026-04-07

▶

🕵️Threat Intelligence

Wiz

CVE-2026-29047 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26263 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26026 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25932 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26027 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶