CVE-2025-59935

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-59935

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59935.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59935

Aliases

GHSA-j8vv-9f8m-r7jx

Downstream

UBUNTU-CVE-2025-59935

Published

2025-12-16T16:34:46.251Z

Modified

2026-04-10T05:32:15.024162Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page

Details

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59935.json"
}

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

815997021a5df4feb7077a12f6f52769e9bd3459

Fixed

c6141a2ae3d248ddc979f15d691fb4eec3f75edc

Affected versions

10.*

10.0.0

10.0.1

10.0.10

10.0.11

10.0.12

10.0.13

10.0.14

10.0.15

10.0.16

10.0.17

10.0.18

10.0.19

10.0.2

10.0.20

10.0.3

10.0.4

10.0.5

10.0.6

10.0.7

10.0.8

10.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59935.json"