CVE-2025-27514

MEDIUM

GLPI <10.0.18 - Stored XSS

Title source: llm

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19.

References (2)

[Vendor Advisory] https://github.com/glpi-project/glpi/security/advisories/GHSA-jh8j-gqxc-6gqj

[Patch] https://github.com/glpi-project/glpi/commit/c340a64a11343bde706d1cd41e4be798dd922303

View Patch ZIP pw:eip

Scores

CVSS v3 4.5

EPSS 0.0005

EPSS Percentile 14.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-80 CWE-79

Status published

Products (1)

glpi-project/glpi 9.5.0 - 10.0.19

Published Jul 29, 2025

Tracked Since Feb 18, 2026