CVE-2026-42321
Cross-Site Scripting in GLPI Asset Management Software
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi_project | glpi | From 10.0.4 (inc) to 10.0.25 (exc) |
| glpi_project | glpi | 10.0.25 |
| glpi_project | glpi | 11.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored cross-site scripting (XSS) issue that can impact the confidentiality, integrity, and availability of the GLPI system. Such impacts could potentially lead to unauthorized access or manipulation of sensitive data managed by the software.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities affecting confidentiality and integrity can pose risks to compliance with these regulations, which require protection of personal and sensitive data.
Therefore, if exploited, this vulnerability could hinder an organization's ability to meet data protection requirements mandated by common standards and regulations.
Can you explain this vulnerability to me?
CVE-2026-42321 is a stored cross-site scripting (XSS) vulnerability in the GLPI asset management software. It allows a technician with high privileges to inject malicious scripts into the asset locked tab feature. These malicious scripts are then executed when other users view the affected page, potentially compromising their security.
The vulnerability affects GLPI versions from 10.0.4 up to 10.0.24 and has been patched in version 10.0.25.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of other users' browsers when they view the compromised asset locked tab. This can lead to unauthorized access to sensitive information, manipulation of data, or disruption of service.
The CVSS score of 8.4 indicates a high severity, with potential impacts on confidentiality, integrity, and availability of the system.
However, exploitation requires the attacker to have high privileges (technician level) and requires active user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in the GLPI asset locks feature, exploitable by a technician with high privileges injecting malicious scripts.
Detection involves inspecting the asset locked tab data for suspicious or unexpected script tags or payloads stored by privileged users.
Since the vulnerability is related to stored XSS in the web application, network detection commands are not directly applicable.
To detect potential exploitation or presence of malicious scripts, you can manually review the database entries or web interface content in the asset locked tab for injected scripts.
No specific commands are provided in the available resources for automated detection.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade GLPI to version 10.0.25 or later (including 11.0.7), where the vulnerability has been patched.
Restrict technician privileges to only those necessary, as the vulnerability requires high privileges to inject the XSS payload.
Avoid allowing untrusted or unnecessary users to access the asset locked tab until the patch is applied.
Consider reviewing and sanitizing existing data in the asset locked tab to remove any malicious scripts that may have been stored.