CVE-2026-26027
Stored XSS in GLPI Inventory Endpoint Allows Unauthenticated Attack
Publication date: 2026-04-06
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi-project | glpi | From 11.0.0 (inc) to 11.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26027 is a high-severity vulnerability in the GLPI software package versions 11.0.0 to before 11.0.6. It allows an unauthenticated attacker to store a Cross-Site Scripting (XSS) payload through the inventory endpoint.
This stored XSS vulnerability means that malicious code can be saved on the server and later executed in the browsers of users who view the affected pages. The vulnerability occurs because the software does not properly authenticate users before accepting input, and it fails to correctly neutralize or encode this input before displaying it.
Exploitation requires no privileges and can be done remotely, but user interaction is needed to trigger the malicious payload.
How can this vulnerability impact me? :
This vulnerability can have a significant impact on confidentiality, integrity, and availability of the affected system.
- Confidentiality: Attackers can execute malicious scripts in users' browsers, potentially stealing sensitive information such as session tokens or personal data.
- Integrity: The attacker can manipulate the content displayed to users, misleading them or injecting harmful content.
- Availability: Exploiting the vulnerability could disrupt normal operations or cause denial of service.
Because the vulnerability requires no authentication to store the malicious payload, it increases the risk of exploitation by remote attackers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an unauthenticated user storing a Cross-Site Scripting (XSS) payload via the inventory endpoint in GLPI versions 11.0.0 to before 11.0.6.
To detect this vulnerability on your system, you can check the GLPI version to see if it is below 11.0.6, as the issue is fixed in 11.0.6.
Additionally, you can monitor HTTP requests to the inventory endpoint for suspicious input that may contain XSS payloads.
While no specific commands are provided in the resources, common detection methods include using web vulnerability scanners that test for stored XSS on the inventory endpoint or manually inspecting HTTP traffic for suspicious payloads.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade GLPI to version 11.0.6 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the inventory endpoint to trusted users or networks to reduce the risk of exploitation.
Implement web application firewall (WAF) rules to detect and block potential XSS payloads targeting the inventory endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to store and potentially execute a Cross-Site Scripting (XSS) payload, which can lead to unauthorized access to sensitive information and compromise confidentiality, integrity, and availability of data.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.
Failure to properly authenticate users and sanitize inputs as described in this vulnerability could result in data breaches or unauthorized data exposure, potentially leading to non-compliance with these regulations.
Therefore, organizations using affected versions of GLPI should upgrade to version 11.0.6 to mitigate these risks and maintain compliance.