GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26027.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-116",
"CWE-306",
"CWE-79"
]
}