Stored Cross-Site Scripting in GLPI Tag Plugin
CVE-2026-53987

7.3HIGH

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-53987?

The GLPI Tag Plugin prior to version 2.14.4 is vulnerable to stored cross-site scripting due to inadequate HTML sanitization when tag names are stored. An authenticated user with TAG MANAGEMENT permissions can create or modify tags that include malicious HTML. This injected content is rendered in the Kanban badge markup, allowing attackers to execute scripts in the browser of any user viewing the Kanban interface. It's crucial to upgrade to the latest version to mitigate the risks associated with this vulnerability.

Affected Version(s)

GLPI 11 2.6.0 < 2.14.4

References

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

chapochapo
.