Can you explain this vulnerability to me?

CVE-2026-5385 is a stored cross-site scripting (XSS) vulnerability in GLPI, an open-source IT asset management software. It occurs because the content of knowledge base items is returned without proper output sanitization, allowing an attacker with write access to the knowledge base to inject malicious HTML or JavaScript payloads. When other authorized users view the affected knowledge base item, the malicious script executes in their browsers.

Exploitation requires an authenticated user with knowledge base write permissions to store the XSS payload. The vulnerability affects GLPI versions before 11.0.7 and was patched in version 11.0.7.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to arbitrary script execution in the browsers of authorized users who view the compromised knowledge base items. This can result in unauthorized actions performed on behalf of those users, theft of sensitive information, session hijacking, or other malicious activities.

Because the vulnerability affects confidentiality, integrity, and availability, it poses a high risk to the security of the GLPI system and its users.

Users of GLPI should upgrade to version 11.0.7 or later to mitigate this risk.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking for the presence of stored XSS payloads in knowledge base items within GLPI versions before 11.0.7.

Since the vulnerability is related to the /Knowbase/KnowbaseItem/{id}/Content endpoint returning unsanitized content, one approach is to inspect HTTP responses from this endpoint for suspicious HTML or JavaScript code.

Commands or methods to detect this could include using curl or similar tools to fetch the content of knowledge base items and manually or programmatically scanning for embedded scripts.

• curl -s -k -H "Cookie: <authenticated_session_cookie>" https://<glpi-server>/Knowbase/KnowbaseItem/<id>/Content | grep -iE '<script|onerror|javascript:'
• Use a web vulnerability scanner or automated tool to test for stored XSS in the knowledge base items by attempting to inject and retrieve script payloads.

Note that exploitation requires authenticated access with knowledge base write permissions, so detection commands must be run with appropriate credentials.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary immediate mitigation step is to upgrade GLPI to version 11.0.7 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict write access to the knowledge base to trusted users only, as exploitation requires authenticated users with write permissions.

Monitor official GLPI security advisories for any additional patches or mitigation recommendations.

Consider implementing web application firewall (WAF) rules to detect and block suspicious script injections or XSS payloads targeting the knowledge base endpoints.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker with write access to inject malicious scripts into knowledge base items, which can be executed in the browsers of other authorized users. This can lead to unauthorized access or manipulation of sensitive data within the system.

Such unauthorized access and potential data manipulation pose risks to confidentiality, integrity, and availability of information managed by GLPI, which could impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive data against unauthorized access and ensuring data integrity.

Therefore, if exploited, this vulnerability could lead to non-compliance with these standards due to the exposure and potential compromise of sensitive information.

Useful 0 Not Useful 0