GLPI has an Unauthenticated Stored XSS via inventory_CVE-2026-26027

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

Basic Information

ID CVE-2026-26027

Source GitHub_M

Published Apr 6, 2026 at 14:35

Modified Apr 7, 2026 at 03:55

Affected Product

Vendor glpi-project

Product glpi

Version >= 11.0.0, < 11.0.6

Affected Versions glpi-project glpi >= 11.0.0, < 11.0.6

CWE Classification

CWE-79 CWE-116 CWE-306

References

github.com /glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp

{
    "lastseen": "",
    "description": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.",
    "published": "2026-04-06T14:35:53.788Z",
    "modified": "2026-04-07T03:55:40.983Z",
    "type": "cve",
    "title": "GLPI has an Unauthenticated Stored XSS via inventory",
    "source": "GitHub_M",
    "references": "https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp",
    "id": "CVE-2026-26027",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-116",
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "glpi-project glpi >= 11.0.0, < 11.0.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "glpi",
    "version": ">= 11.0.0, < 11.0.6",
    "vendor": "glpi-project",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}