Platform
php
Component
glpi
Fixed in
0.60.1
CVE-2026-25932 describes a cross-site scripting (XSS) vulnerability affecting GLPI, a free asset and IT management software. An authenticated technician user can exploit this flaw by injecting malicious scripts into supplier fields, potentially allowing attackers to execute arbitrary code in the context of other users. This vulnerability impacts GLPI versions from 0.60 up to, but not including, version 10.0.24. A patch is available in version 10.0.24.
CVE-2026-25932 in GLPI allows an authenticated technician user to store an XSS payload within supplier fields. This could allow an attacker to execute arbitrary JavaScript code in the browsers of other GLPI users, potentially stealing sensitive information like login credentials, modifying the application's appearance, or redirecting users to malicious websites. The risk is significant, especially in environments where users have access to confidential data managed by GLPI. The vulnerability affects GLPI versions from 0.60 up to, but not including, 10.0.24. Successful exploitation requires the attacker to have technician user privileges within the GLPI system.
An attacker with technician user privileges in GLPI can exploit this vulnerability by inserting malicious JavaScript code into supplier fields when creating or editing a supplier. This code will execute when other GLPI users view the affected supplier information. The attacker could use this to steal session cookies, redirect users to phishing websites, or modify page content to deceive users. The persistent nature of the vulnerability means the malicious code will remain in the system until the upgrade or countermeasures are implemented.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to upgrade GLPI to version 10.0.24 or later. This version includes a fix that prevents XSS code injection into supplier fields. If immediate upgrading is not possible, consider implementing additional security measures such as strict user input validation and applying Content Security Policy (CSP) to mitigate the risk of exploitation. Regularly reviewing GLPI logs for suspicious activity and educating users about XSS risks and identification are also crucial. Periodic security audits can help identify and address potential vulnerabilities.
Actualice GLPI a la versión 10.0.24 o superior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema al sanear correctamente la entrada del usuario en el campo 'Sitio web del proveedor', evitando la ejecución de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into websites viewed by other users. These scripts can steal information, redirect users to malicious websites, or modify the website's appearance.
If you are using a version of GLPI prior to 10.0.24, your installation is vulnerable. Check your GLPI version on the system's administration page.
Immediately upgrade to version 10.0.24 or later. Review GLPI logs for suspicious activity and consider changing all user passwords.
If immediate upgrading is not possible, implement strict user input validation and consider applying Content Security Policy (CSP).
You can find more information about this vulnerability on vulnerability databases such as the National Vulnerability Database (NVD) or the GLPI website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.