CVE-2026-25932
Published: 06 April 2026
Summary
CVE-2026-25932 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of supplier field inputs to block injection and storage of malicious XSS payloads by authenticated technician users.
Mandates filtering of information outputs when rendering supplier fields to prevent execution of stored XSS payloads in victims' browsers.
Ensures timely remediation of the specific XSS flaw in GLPI supplier fields via patching to version 10.0.24 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS payload injection and execution in victim browsers directly enables session hijacking (T1185) and web session cookie theft (T1539) as described in the CVE impacts.
NVD Description
GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.
Deeper analysisAI
CVE-2026-25932 is a stored cross-site scripting (XSS) vulnerability, associated with CWE-79 and CWE-116, affecting GLPI, an open-source asset and IT management software package. The issue exists in versions from 0.60 up to but not including 10.0.24, where an authenticated technician user can inject and store a malicious XSS payload in supplier fields. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
An authenticated user with technician privileges can exploit this vulnerability by submitting a crafted XSS payload into supplier fields, which is then persistently stored and rendered for other users viewing the affected data. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of victims' browsers, potentially leading to session hijacking, data theft, or further compromise depending on the privileges of affected users. No user interaction beyond normal viewing of supplier information is required.
The GLPI project addressed this vulnerability in version 10.0.24. Security practitioners should upgrade to this patched release or later. Additional details are available in the official advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh.
Details
- CWE(s)