Plattform
php
Komponente
glpi
Behoben in
0.60.1
CVE-2026-25932 describes a cross-site scripting (XSS) vulnerability affecting GLPI, a free asset and IT management software. An authenticated technician user can exploit this flaw by injecting malicious scripts into supplier fields, potentially allowing attackers to execute arbitrary code in the context of other users. This vulnerability impacts GLPI versions from 0.60 up to, but not including, version 10.0.24. A patch is available in version 10.0.24.
Successful exploitation of CVE-2026-25932 allows an attacker to execute arbitrary JavaScript code within the context of another user's session. This can lead to account takeover, where the attacker gains control of the victim's GLPI account, enabling them to access sensitive data, modify system configurations, and potentially escalate privileges. The impact is particularly severe for organizations relying on GLPI for critical asset and IT management tasks, as a compromised account could lead to widespread disruption and data breaches. While the vulnerability requires authentication, the ease of injecting the payload makes it a significant risk, especially in environments with weak password policies or inadequate access controls.
CVE-2026-25932 was publicly disclosed on 2026-04-06. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's relatively simple exploitation vector suggests a potential for rapid exploitation if a PoC is released. It is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25932 is to upgrade GLPI to version 10.0.24 or later. If immediate upgrading is not possible, consider implementing temporary workarounds to reduce the attack surface. Input validation and sanitization on supplier fields can help prevent the injection of malicious scripts. Additionally, restrict access to supplier fields to only authorized personnel. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting GLPI can provide an additional layer of defense. Monitor GLPI logs for suspicious activity, particularly related to supplier field modifications.
Actualice GLPI a la versión 10.0.24 o superior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema al sanear correctamente la entrada del usuario en el campo 'Sitio web del proveedor', evitando la ejecución de código malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into websites viewed by other users. These scripts can steal information, redirect users to malicious websites, or modify the website's appearance.
If you are using a version of GLPI prior to 10.0.24, your installation is vulnerable. Check your GLPI version on the system's administration page.
Immediately upgrade to version 10.0.24 or later. Review GLPI logs for suspicious activity and consider changing all user passwords.
If immediate upgrading is not possible, implement strict user input validation and consider applying Content Security Policy (CSP).
You can find more information about this vulnerability on vulnerability databases such as the National Vulnerability Database (NVD) or the GLPI website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.