CVE-2026-53987

Source
https://cve.org/CVERecord?id=CVE-2026-53987
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53987.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53987
Aliases
  • GHSA-6rpj-89c7-x2mh
Published
2026-07-09T15:44:04.474Z
Modified
2026-07-11T04:04:07.656407561Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
GLPI 11 before 2.14.4 Tag Plugin Stored Cross-Site Scripting in Kanban Badge Rendering
Details

The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53987.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/pluginsglpi/tag

Affected ranges

Type
GIT
Repo
https://github.com/pluginsglpi/tag
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.6.0"
        },
        {
            "fixed": "2.14.4"
        },
        {
            "introduced": "11"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53987.json"