CVE-2026-25932: GLPI XSS Vulnerability (0.60 - 10.0.24)
Platform
php
Component
glpi
Fixed in
10.0.24
CVE-2026-25932 describes a cross-site scripting (XSS) vulnerability affecting GLPI, a free asset and IT management software. An authenticated technician user can exploit this flaw by injecting malicious scripts into supplier fields, potentially allowing attackers to execute arbitrary code in the context of other users. This vulnerability impacts GLPI versions from 0.60 up to, but not including, version 10.0.24. A patch is available in version 10.0.24.
How to fix
Actualice GLPI a la versión 10.0.24 o superior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema al sanear correctamente la entrada del usuario en el campo 'Sitio web' del proveedor. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar.
Frequently asked questions
What is CVE-2026-25932?
CVE-2026-25932 is a cross-site scripting (XSS) vulnerability in GLPI. It allows an authenticated technician user to inject malicious scripts into supplier fields, potentially leading to code execution.
Am I affected by this vulnerability?
You are potentially affected if you are running GLPI versions 0.60 through 10.0.23. Versions prior to 10.0.24 are vulnerable to this XSS attack.
How do I fix this?
Upgrade GLPI to version 10.0.24 or later to resolve this vulnerability. This version includes a patch that addresses the XSS issue.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free