XSS Vulnerability in GLPI Asset Management Software
CVE-2026-40108

7.1HIGH

Key Information:

Vendor: GLPI Project
Status: Glpi
Vendor: CVE Published:; 2 June 2026

🔔 Create GLPI Project Vulnerability Alert

What is CVE-2026-40108?

A Cross-Site Scripting (XSS) vulnerability exists in GLPI, a widely used free asset and IT management software. In versions 11.0.0 to 11.0.6, a technician can exploit this vulnerability to store a malicious XSS payload within ITIL cost entries, potentially allowing unauthorized script execution in the context of users accessing these entries. GLPI version 11.0.7 and later have addressed this issue, emphasizing the need for users to update promptly to mitigate the risk associated with this security flaw. For further details, please refer to the security advisory available.

Affected Version(s)

glpi >= 11.0.0, < 11.0.7

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40108 Data

JSON