GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Description

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.

Basic Information

ID CVE-2025-59935

Source GitHub_M

Published Dec 16, 2025 at 16:34

Modified Dec 16, 2025 at 17:15

Affected Product

Vendor glpi-project

Product glpi

Version >= 10.0.0, < 10.0.21

Affected Versions glpi-project glpi >= 10.0.0, < 10.0.21

CWE Classification

CWE-79

References

github.com /glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx

{
    "lastseen": "",
    "description": "GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.",
    "published": "2025-12-16T16:34:46.251Z",
    "modified": "2025-12-16T17:15:24.435Z",
    "type": "cve",
    "title": "GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page",
    "source": "GitHub_M",
    "references": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx",
    "id": "CVE-2025-59935",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "glpi-project glpi >= 10.0.0, < 10.0.21",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "glpi",
    "version": ">= 10.0.0, < 10.0.21",
    "vendor": "glpi-project",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page_CVE-2025-59935