Platform
php
Component
glpi
Opgelost in
11.0.1
CVE-2026-26027 describes a cross-site scripting (XSS) vulnerability in GLPI, a free asset and IT management software package. This vulnerability allows an unauthenticated attacker to inject malicious scripts through the inventory endpoint, potentially compromising user sessions and sensitive data. The vulnerability impacts GLPI versions 11.0.0 through 11.0.5, and a fix is available in version 11.0.6.
Successful exploitation of CVE-2026-26027 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the GLPI interface. An attacker could potentially gain access to sensitive asset information stored within GLPI, or use the compromised session to perform actions on behalf of an authenticated user. The impact is particularly severe given GLPI's role in managing IT assets and infrastructure, potentially granting attackers access to critical systems.
CVE-2026-26027 was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a potential risk. The CVSS score of 7.5 (HIGH) reflects the potential impact and ease of exploitation.
Organizations utilizing GLPI versions 11.0.0 through 11.0.5, particularly those with publicly accessible GLPI instances or those lacking robust input validation measures, are at significant risk. Shared hosting environments where multiple users share the same GLPI instance are also particularly vulnerable, as an attacker could potentially compromise the entire environment through a single successful XSS attack.
• php: Examine GLPI inventory endpoint logs for unusual characters or patterns indicative of XSS attempts. Look for POST requests containing <script> or <iframe> tags.
grep -i '<script' /var/log/apache2/access.log | grep glpi/inventory• generic web: Use curl to test the inventory endpoint with a simple XSS payload and observe the response for script execution.
curl -X POST -d '<script>alert("XSS")</script>' http://your-glpi-server/inventory/• generic web: Check GLPI's access and error logs for any unusual activity or error messages related to the inventory endpoint.
disclosure
Exploit Status
EPSS
0.05% (14% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-26027 is to upgrade GLPI to version 11.0.6 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the inventory endpoint to prevent the injection of malicious scripts. While not a complete solution, this can reduce the attack surface. Review GLPI's web application firewall (WAF) configuration to ensure it can detect and block XSS attempts targeting the inventory endpoint. After upgrading, verify the fix by attempting to inject a simple XSS payload through the inventory endpoint; it should be properly sanitized and not execute.
Actualice GLPI a la versión 11.0.6 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema al validar correctamente la entrada del usuario en el endpoint de inventario, previniendo la ejecución de scripts maliciosos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-26027 is a cross-site scripting (XSS) vulnerability affecting GLPI versions 11.0.0 through 11.0.5. An unauthenticated attacker can inject malicious scripts through the inventory endpoint.
You are affected if you are running GLPI versions 11.0.0 through 11.0.5. Upgrade to 11.0.6 or later to mitigate the risk.
The recommended fix is to upgrade GLPI to version 11.0.6 or later. As a temporary workaround, implement input validation and sanitization on the inventory endpoint.
There is currently no evidence of active exploitation in the wild, but the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.
Refer to the official GLPI security advisory for detailed information and updates: [https://glpi.net/security](https://glpi.net/security)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.