Cyber Resilience

CVE-2026-26026

CriticalRCE

Published: 06 April 2026

Published
06 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0037 28.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26026 is a critical-severity Code Injection (CWE-94) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26026 is a template injection vulnerability in GLPI, a free asset and IT management software package. It affects versions from 11.0.0 up to but not including 11.0.6, where an administrator can trigger remote code execution (RCE) through malicious template input. The issue is classified under CWE-94 (Code Injection) and CWE-1336 (Incorrect Handling of Code Blocks in Templating Engine), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high impact across confidentiality, integrity, and availability after privilege escalation.

An authenticated administrator (PR:H) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to RCE with scope expansion (S:C), allowing full compromise of the affected GLPI instance, including arbitrary code execution, data exfiltration, or further lateral movement within the environment.

The GLPI security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h confirms the vulnerability and states it is fixed in version 11.0.6. Administrators should upgrade to GLPI 11.0.6 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Template injection in network-accessible GLPI web app enables authenticated admin to achieve RCE (CWE-94), directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation) to OS-level code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66417Same product: Glpi-Project Glpi
CVE-2025-23046Same product: Glpi-Project Glpi
CVE-2026-26263Same product: Glpi-Project Glpi
CVE-2026-22247Same product: Glpi-Project Glpi
CVE-2025-21619Same product: Glpi-Project Glpi
CVE-2026-26027Same product: Glpi-Project Glpi
CVE-2026-29047Same product: Glpi-Project Glpi
CVE-2025-64516Same product: Glpi-Project Glpi
CVE-2026-22044Same product: Glpi-Project Glpi
CVE-2025-24799Same product: Glpi-Project Glpi

Affected Assets

glpi-project
glpi
11.0.0 — 11.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching to version 11.0.6 directly eliminates the template injection vulnerability leading to RCE.

prevent

Validating and sanitizing administrator template inputs prevents code injection exploits as described in CWE-94 and CWE-1336.

prevent

Memory protection mechanisms such as DEP and ASLR mitigate remote code execution even if template injection partially succeeds.

References