CVE-2026-26027

HIGH

GLPI has an Unauthenticated Stored XSS via inventory

Title source: cna

Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

References (1)

[X_Refsource_Confirm] https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 13.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-116 CWE-306 CWE-79

Status published

Products (2)

glpi-project/glpi 11.0.0 - 11.0.6

glpi-project/glpi >= 11.0.0, < 11.0.6

Published Apr 06, 2026

Tracked Since Apr 06, 2026