Home

Description

An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7.

PUBLISHED Reserved 2026-04-01 | Published 2026-06-02 | Updated 2026-06-03 | Assigner Fluid Attacks




HIGH: 8.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

Product status

Default status
unaffected

Any version before 11.0.7
affected

Credits

Fluid Attacks' AI SAST Scanner finder

Oscar Uribe finder

References

fluidattacks.com/es/advisories/bizkit exploit

fluidattacks.com/es/advisories/bizkit third-party-advisory

github.com/glpi-project/glpi product

github.com/...t/glpi/security/advisories/GHSA-2fg5-jg72-h338 vendor-advisory

github.com/glpi-project/glpi/releases/tag/11.0.7 patch

cve.org (CVE-2026-5385)

nvd.nist.gov (CVE-2026-5385)

Download JSON