Stored Cross-Site Scripting in GLPI Tag Plugin
CVE-2026-53987
7.3HIGH
What is CVE-2026-53987?
The GLPI Tag Plugin prior to version 2.14.4 is vulnerable to stored cross-site scripting due to inadequate HTML sanitization when tag names are stored. An authenticated user with TAG MANAGEMENT permissions can create or modify tags that include malicious HTML. This injected content is rendered in the Kanban badge markup, allowing attackers to execute scripts in the browser of any user viewing the Kanban interface. It's crucial to upgrade to the latest version to mitigate the risks associated with this vulnerability.
Affected Version(s)
GLPI 11 2.6.0 < 2.14.4
