CVE-2026-26027
Published: 06 April 2026
Summary
CVE-2026-26027 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stored XSS vulnerability by requiring remediation through upgrading GLPI to version 11.0.6 where the flaw is patched.
Validates inputs to the inventory endpoint to block malicious XSS payloads from being stored by unauthenticated users.
Filters inventory data outputs to neutralize XSS scripts before rendering in user browsers, preventing execution even if payloads are stored.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing GLPI inventory endpoint directly enables T1190 (exploit of public-facing web app by unauthenticated attacker) and T1059.007 (adversary-controlled JavaScript execution in victim browser session).
NVD Description
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
Deeper analysisAI
CVE-2026-26027 is a stored cross-site scripting (XSS) vulnerability in GLPI, a free asset and IT management software package. It affects versions from 11.0.0 up to but not including 11.0.6, allowing an unauthenticated user to store an XSS payload through the inventory endpoint. The issue is linked to CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-116 (Improper Encoding or Escaping of Output), and CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
An unauthenticated attacker with network access can exploit this by submitting a malicious payload to the inventory endpoint, which is then stored for later retrieval. Exploitation requires high attack complexity and user interaction, such as a legitimate user viewing the affected inventory data in their browser. Successful execution can result in high impacts to confidentiality, integrity, and availability within the victim's session, potentially enabling actions like script execution, data exfiltration, or account compromise.
The vulnerability is addressed in GLPI version 11.0.6. Administrators should upgrade to this patched release to mitigate the issue. Additional details are available in the GitHub Security Advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp.
Details
- CWE(s)