PT-2026-30609 · Glpi+1 · Glpi+1
Bzhunt
·
Published
2026-04-06
·
Updated
2026-04-17
·
CVE-2026-26027
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GLPI versions 11.0.0 through 11.0.5
Description
An unauthenticated user can store a Cross-Site Scripting (XSS) payload—a technique where malicious scripts are injected into trusted websites—via the 'inventory' endpoint.
Recommendations
Update to version 11.0.6.
Fix
Improper Encoding or Escaping of Output
XSS
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Glpi
Red Os