CVE-2026-26027

Source
https://cve.org/CVERecord?id=CVE-2026-26027
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26027.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26027
Aliases
  • GHSA-chch-wcm9-f9cp
Downstream
Published
2026-04-06T14:35:53.788Z
Modified
2026-07-08T08:12:26.164171009Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
GLPI has an Unauthenticated Stored XSS via inventory
Details

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26027.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116",
        "CWE-306",
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type
GIT
Repo
https://github.com/glpi-project/glpi
Events
Database specific
{
    "cpe": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.0.6"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

11.*
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26027.json"