CVE-2026-26026

CRITICAL

GLPI has a Server-Side Template Injection via Double-Compilation

Title source: cna

Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

Exploits (1)

nomisec WORKING POC

by CEAarab · poc

https://github.com/CEAarab/CVE-2026-26026-PoC

View Code ZIP pw:eip

References (1)

[X_Refsource_Confirm] https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h

Scores

CVSS v3 9.1

EPSS 0.0006

EPSS Percentile 18.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-1336 CWE-94

Status published

Products (2)

glpi-project/glpi 11.0.0 - 11.0.6

glpi-project/glpi >= 11.0.0, < 11.0.6

Published Apr 06, 2026

Tracked Since Apr 06, 2026