CVE-2026-42321
Deferred Deferred - Pending Action
Cross-Site Scripting in GLPI Asset Management Software

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-42321
EUVD
EUVD-2026-34097
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
glpi_project glpi From 10.0.4 (inc) to 10.0.25 (exc)
glpi_project glpi 10.0.25
glpi_project glpi 11.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a stored cross-site scripting (XSS) issue that can impact the confidentiality, integrity, and availability of the GLPI system. Such impacts could potentially lead to unauthorized access or manipulation of sensitive data managed by the software.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities affecting confidentiality and integrity can pose risks to compliance with these regulations, which require protection of personal and sensitive data.

Therefore, if exploited, this vulnerability could hinder an organization's ability to meet data protection requirements mandated by common standards and regulations.

Executive Summary

CVE-2026-42321 is a stored cross-site scripting (XSS) vulnerability in the GLPI asset management software. It allows a technician with high privileges to inject malicious scripts into the asset locked tab feature. These malicious scripts are then executed when other users view the affected page, potentially compromising their security.

The vulnerability affects GLPI versions from 10.0.4 up to 10.0.24 and has been patched in version 10.0.25.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of other users' browsers when they view the compromised asset locked tab. This can lead to unauthorized access to sensitive information, manipulation of data, or disruption of service.

The CVSS score of 8.4 indicates a high severity, with potential impacts on confidentiality, integrity, and availability of the system.

However, exploitation requires the attacker to have high privileges (technician level) and requires active user interaction.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the GLPI asset locks feature, exploitable by a technician with high privileges injecting malicious scripts.

Detection involves inspecting the asset locked tab data for suspicious or unexpected script tags or payloads stored by privileged users.

Since the vulnerability is related to stored XSS in the web application, network detection commands are not directly applicable.

To detect potential exploitation or presence of malicious scripts, you can manually review the database entries or web interface content in the asset locked tab for injected scripts.

No specific commands are provided in the available resources for automated detection.

Mitigation Strategies

The primary mitigation step is to upgrade GLPI to version 10.0.25 or later (including 11.0.7), where the vulnerability has been patched.

Restrict technician privileges to only those necessary, as the vulnerability requires high privileges to inject the XSS payload.

Avoid allowing untrusted or unnecessary users to access the asset locked tab until the patch is applied.

Consider reviewing and sanitizing existing data in the asset locked tab to remove any malicious scripts that may have been stored.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart