XSS Vulnerability in GLPI Asset Management Software
CVE-2026-26027

7.5HIGH

Key Information:

Vendor: GLPI Project
Status: Glpi
Vendor: CVE Published:; 6 April 2026

🔔 Create GLPI Project Vulnerability Alert

What is CVE-2026-26027?

The GLPI asset management software is vulnerable to a cross-site scripting (XSS) attack that allows an unauthenticated attacker to store malicious payloads through the inventory endpoint. This issue affects versions 11.0.0 through prior to 11.0.6. The vulnerability poses a risk by enabling attackers to execute arbitrary scripts in the context of users accessing the affected GLPI instance. Users are advised to upgrade to version 11.0.6 or later to mitigate this risk.

Affected Version(s)

glpi >= 11.0.0, < 11.0.6

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-26027 Data

JSON