CVE-2026-53987
Received Received - Intake

Stored XSS in GLPI Tag Plugin

Vulnerability report for CVE-2026-53987, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulnCheck

Description

The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pluginsglpi tag to 2.14.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the browsers of users who view the affected Kanban views. This can result in session hijacking, unauthorized actions performed on behalf of users, data theft, or other malicious activities. Since the attack requires an authenticated user with tag management rights to insert the malicious code, it poses a risk within environments where such privileges are granted. The impact is significant because it affects the confidentiality, integrity, and availability of user sessions and data.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-53987, you should update the GLPI Tag plugin to version 2.14.4 or later.

This update includes a security fix that properly sanitizes and escapes tag names to prevent stored cross-site scripting (XSS) attacks.

Ensure that only authenticated users with appropriate TAG MANAGEMENT create or update rights can modify tag names.

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in the Tag plugin for GLPI versions before 2.14.4. It occurs because the plugin stores tag names without sanitizing HTML and then renders these names directly into the Kanban badge markup without escaping the output. An authenticated user with tag management create or update rights can insert malicious HTML or JavaScript code into a tag name. When any user views the Kanban view of a ticket, problem, change, or project that has the malicious tag attached, the injected script executes in their browser.

Compliance Impact

The provided context and resources do not contain any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the GLPI Tag plugin before version 2.14.4, where tag names containing malicious HTML can execute scripts in the browser when viewing the Kanban view.

To detect this vulnerability on your system, you should check the version of the GLPI Tag plugin installed. Versions before 2.14.4 are vulnerable.

You can detect the plugin version by inspecting the plugin files or using GLPI's plugin management interface.

Additionally, to detect if malicious tags exist, you can query the database for tag names containing suspicious HTML or script tags.

  • Check the plugin version by looking at the version constant in the plugin's setup.php file or via GLPI's plugin interface.
  • Run a database query to find tags with potential XSS payloads, for example (assuming MySQL):
  • SELECT * FROM glpi_plugin_tag_tags WHERE name LIKE '%<script>%';
  • Or more generally, search for tags containing HTML tags:
  • SELECT * FROM glpi_plugin_tag_tags WHERE name REGEXP '<[^>]+>';

These commands help identify if any tag names contain HTML or script elements that could trigger the XSS vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53987. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart