Platform
php
Component
glpi
Fixed in
11.0.1
CVE-2026-26027 describes a cross-site scripting (XSS) vulnerability in GLPI, a free asset and IT management software package. This vulnerability allows an unauthenticated attacker to inject malicious scripts through the inventory endpoint, potentially compromising user sessions and sensitive data. The vulnerability impacts GLPI versions 11.0.0 through 11.0.5, and a fix is available in version 11.0.6.
Successful exploitation of CVE-2026-26027 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the GLPI interface. An attacker could potentially gain access to sensitive asset information stored within GLPI, or use the compromised session to perform actions on behalf of an authenticated user. The impact is particularly severe given GLPI's role in managing IT assets and infrastructure, potentially granting attackers access to critical systems.
CVE-2026-26027 was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a potential risk. The CVSS score of 7.5 (HIGH) reflects the potential impact and ease of exploitation.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26027 is to upgrade GLPI to version 11.0.6 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the inventory endpoint to prevent the injection of malicious scripts. While not a complete solution, this can reduce the attack surface. Review GLPI's web application firewall (WAF) configuration to ensure it can detect and block XSS attempts targeting the inventory endpoint. After upgrading, verify the fix by attempting to inject a simple XSS payload through the inventory endpoint; it should be properly sanitized and not execute.
Update GLPI to version 11.0.6 or later to mitigate the XSS vulnerability. This update corrects the issue by properly validating user input in the inventory endpoint, preventing the execution of malicious scripts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26027 is a cross-site scripting (XSS) vulnerability affecting GLPI versions 11.0.0 through 11.0.5. An unauthenticated attacker can inject malicious scripts through the inventory endpoint.
You are affected if you are running GLPI versions 11.0.0 through 11.0.5. Upgrade to 11.0.6 or later to mitigate the risk.
The recommended fix is to upgrade GLPI to version 11.0.6 or later. As a temporary workaround, implement input validation and sanitization on the inventory endpoint.
There is currently no evidence of active exploitation in the wild, but the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.
Refer to the official GLPI security advisory for detailed information and updates: [https://glpi.net/security](https://glpi.net/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.