CVE-2026-26027
Received Received - Intake
Stored XSS in GLPI Inventory Endpoint Allows Unauthenticated Attack

Publication date: 2026-04-06

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26027
EUVD
EUVD-2026-19247
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
glpi-project glpi From 11.0.0 (inc) to 11.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an unauthenticated attacker to store and potentially execute a Cross-Site Scripting (XSS) payload, which can lead to unauthorized access to sensitive information and compromise confidentiality, integrity, and availability of data.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.

Failure to properly authenticate users and sanitize inputs as described in this vulnerability could result in data breaches or unauthorized data exposure, potentially leading to non-compliance with these regulations.

Therefore, organizations using affected versions of GLPI should upgrade to version 11.0.6 to mitigate these risks and maintain compliance.

Executive Summary

CVE-2026-26027 is a high-severity vulnerability in the GLPI software package versions 11.0.0 to before 11.0.6. It allows an unauthenticated attacker to store a Cross-Site Scripting (XSS) payload through the inventory endpoint.

This stored XSS vulnerability means that malicious code can be saved on the server and later executed in the browsers of users who view the affected pages. The vulnerability occurs because the software does not properly authenticate users before accepting input, and it fails to correctly neutralize or encode this input before displaying it.

Exploitation requires no privileges and can be done remotely, but user interaction is needed to trigger the malicious payload.

Impact Analysis

This vulnerability can have a significant impact on confidentiality, integrity, and availability of the affected system.

  • Confidentiality: Attackers can execute malicious scripts in users' browsers, potentially stealing sensitive information such as session tokens or personal data.
  • Integrity: The attacker can manipulate the content displayed to users, misleading them or injecting harmful content.
  • Availability: Exploiting the vulnerability could disrupt normal operations or cause denial of service.

Because the vulnerability requires no authentication to store the malicious payload, it increases the risk of exploitation by remote attackers.

Detection Guidance

This vulnerability involves an unauthenticated user storing a Cross-Site Scripting (XSS) payload via the inventory endpoint in GLPI versions 11.0.0 to before 11.0.6.

To detect this vulnerability on your system, you can check the GLPI version to see if it is below 11.0.6, as the issue is fixed in 11.0.6.

Additionally, you can monitor HTTP requests to the inventory endpoint for suspicious input that may contain XSS payloads.

While no specific commands are provided in the resources, common detection methods include using web vulnerability scanners that test for stored XSS on the inventory endpoint or manually inspecting HTTP traffic for suspicious payloads.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade GLPI to version 11.0.6 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the inventory endpoint to trusted users or networks to reduce the risk of exploitation.

Implement web application firewall (WAF) rules to detect and block potential XSS payloads targeting the inventory endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart