CVE-2026-26026
Published: 06 April 2026
Summary
CVE-2026-26026 is a critical-severity Code Injection (CWE-94) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to version 11.0.6 directly eliminates the template injection vulnerability leading to RCE.
Validating and sanitizing administrator template inputs prevents code injection exploits as described in CWE-94 and CWE-1336.
Memory protection mechanisms such as DEP and ASLR mitigate remote code execution even if template injection partially succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Template injection in network-accessible GLPI web app enables authenticated admin to achieve RCE (CWE-94), directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation) to OS-level code execution.
NVD Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
Deeper analysisAI
CVE-2026-26026 is a template injection vulnerability in GLPI, a free asset and IT management software package. It affects versions from 11.0.0 up to but not including 11.0.6, where an administrator can trigger remote code execution (RCE) through malicious template input. The issue is classified under CWE-94 (Code Injection) and CWE-1336 (Incorrect Handling of Code Blocks in Templating Engine), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high impact across confidentiality, integrity, and availability after privilege escalation.
An authenticated administrator (PR:H) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to RCE with scope expansion (S:C), allowing full compromise of the affected GLPI instance, including arbitrary code execution, data exfiltration, or further lateral movement within the environment.
The GLPI security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h confirms the vulnerability and states it is fixed in version 11.0.6. Administrators should upgrade to GLPI 11.0.6 or later to mitigate the issue.
Details
- CWE(s)