CVE-2026-40108
Deferred Deferred - Pending Action

Stored XSS in GLPI ITIL Costs

Vulnerability report for CVE-2026-40108, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-07-14
AI Q&A
2026-06-03
EPSS Evaluated
2026-07-12
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
glpi glpi to 11.0.6 (inc)
glpi glpi 11.0.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects GLPI, a free asset and IT management software. In versions 11.0.0 through 11.0.6, a technician user can store a Cross-Site Scripting (XSS) payload within ITIL costs. This means that malicious scripts can be injected and stored in the application, potentially leading to execution of unauthorized scripts when viewed by other users. The issue has been fixed in version 11.0.7.

Impact Analysis

The vulnerability allows a technician to inject and store malicious scripts in the GLPI software. This can lead to Cross-Site Scripting attacks, which may result in unauthorized actions being performed on behalf of users, theft of session tokens or credentials, and potential compromise of user accounts or sensitive information.

Mitigation Strategies

The vulnerability in GLPI versions 11.0.0 through 11.0.6 can be mitigated by upgrading to version 11.0.7 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart