Skip to main content

Glpi CVE-2026-25932

| EUVD-2026-19245 HIGH
Improper Encoding or Escaping of Output (CWE-116)
2026-04-06 GitHub_M
XSS Glpi
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:06 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.0.24
EUVD ID Assigned
Apr 06, 2026 - 15:00 euvd
EUVD-2026-19245
Analysis Generated
Apr 06, 2026 - 15:00 vuln.today
CVE Published
Apr 06, 2026 - 14:31 nvd
HIGH 7.2

DescriptionGitHub Advisory

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.

AnalysisAI

Stored cross-site scripting (XSS) in GLPI asset management software allows authenticated technician-level users to inject malicious JavaScript into supplier fields, achieving code execution in victim browsers with high confidentiality, integrity, and availability impact. Affects GLPI versions 0.60 through 10.0.23, patched in version 10.0.24. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as technician user
Delivery
Navigate to supplier fields
Exploit
Store XSS payload in text field
Execution
Payload executes in admin browser session
Impact
Steal session tokens or modify system settings
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated technician-level user account in GLPI versions 0.60 through 10.0.23. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate despite the 7.2 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious technician or an attacker who has compromised a technician account logs into GLPI and navigates to the supplier management interface. They inject a JavaScript payload such as a session token stealer or keylogger into a supplier name or description field, which is stored without proper sanitization. …
Remediation Upgrade GLPI to version 10.0.24 or later, which contains input validation and output encoding fixes for the supplier field XSS vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all GLPI instances and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25932 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy