{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26027", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.555Z", "datePublished": "2026-04-06T14:35:53.788Z", "dateUpdated": "2026-04-06T14:51:39.422Z"}, "containers": {"cna": {"title": "GLPI has an Unauthenticated Stored XSS via inventory", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 11.0.0, < 11.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:35:53.788Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6."}], "source": {"advisory": "GHSA-chch-wcm9-f9cp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T14:51:31.911096Z", "id": "CVE-2026-26027", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:51:39.422Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26027", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T14:51:31.911096Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:51:34.878Z"}}], "cna": {"title": "GLPI has an Unauthenticated Stored XSS via inventory", "source": {"advisory": "GHSA-chch-wcm9-f9cp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 11.0.0, < 11.0.6"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:35:53.788Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26027", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:51:39.422Z", "dateReserved": "2026-02-09T21:36:29.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T14:35:53.788Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6."}], "id": "CVE-2026-26027", "lastModified": "2026-04-06T15:17:07.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T15:17:07.243", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,11.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glpi", "source": "cna", "vendor": "glpi-project"}, "product": "glpi", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-04-06T18:20:56.479405+00:00", "value": {"mitigation_remediation": ["Upgrade to GLPI 11.0.6 or newer to apply the vendor patch", "If an upgrade cannot be performed immediately, limit access to the inventory endpoint so that only authorized users can add or modify inventory items", "As a temporary safeguard, implement a content\u2011security policy or server\u2011side sanitization of inventory input to block script tags"], "summary": {"action": "Patch Immediately", "impact": "Stored cross\u2011site scripting via inventory endpoint"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the glpi project\u2019s GLPI asset and IT management software. All releases from version 11.0.0 up to, but not including, 11.0.6 are impacted. Version 11.0.6 and later contain the vendor\u2011supplied fix.", "description_and_impact": "GLPI versions 11.0.0 through 11.0.5 contain an unauthenticated stored cross\u2011site scripting vulnerability that allows a user without authentication to store malicious scripts via the inventory endpoint. The stored payload is rendered later when a user views inventory data, potentially executing arbitrary JavaScript in that user\u2019s browser. Based on the description, it is inferred that any authenticated user who views the affected inventory item would be subject to the script execution, leading to client\u2011side code execution and possible session hijacking or data theft. This flaw is a typical input validation failure and is classified as CWE-79.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates high severity. The attack requires no credentials and exploits a publicly reachable endpoint, meaning the effort to attack is low. No publicly documented exploits are listed in the provided data, and the vulnerability is absent from the CISA Known Exploited Vulnerabilities catalog. The EPSS score is not available, preventing a precise approximation of exploitation frequency, but the combination of high severity and low effort still presents a significant risk."}}}}, "created": "2026-04-06T20:14:27.725837+00:00", "updated": "2026-04-06T21:32:42.050141+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}