CVE-2026-26027 | THREATINT

Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

PUBLISHED Reserved 2026-02-09 | Published 2026-04-06 | Updated 2026-04-07 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-116: Improper Encoding or Escaping of Output

CWE-306: Missing Authentication for Critical Function

Product status

>= 11.0.0, < 11.0.6

affected

References

github.com/...t/glpi/security/advisories/GHSA-chch-wcm9-f9cp

cve.org (CVE-2026-26027)

nvd.nist.gov (CVE-2026-26027)

Download JSON