CVE-2026-40108
Stored XSS in GLPI ITIL Costs
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi | glpi | to 11.0.6 (inc) |
| glpi | glpi | 11.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects GLPI, a free asset and IT management software. In versions 11.0.0 through 11.0.6, a technician user can store a Cross-Site Scripting (XSS) payload within ITIL costs. This means that malicious scripts can be injected and stored in the application, potentially leading to execution of unauthorized scripts when viewed by other users. The issue has been fixed in version 11.0.7.
How can this vulnerability impact me? :
The vulnerability allows a technician to inject and store malicious scripts in the GLPI software. This can lead to Cross-Site Scripting attacks, which may result in unauthorized actions being performed on behalf of users, theft of session tokens or credentials, and potential compromise of user accounts or sensitive information.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in GLPI versions 11.0.0 through 11.0.6 can be mitigated by upgrading to version 11.0.7 or later, where the issue has been fixed.