Skip to main content

GLPI CVE-2026-40108

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 security-advisories@github.com
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 23:30 vuln.today

DescriptionGitHub Advisory

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.

AnalysisAI

Stored cross-site scripting in GLPI versions 11.0.0 through 11.0.6 allows an authenticated technician to persist a malicious payload inside ITIL cost records, which then executes in the browser of any user who later views the affected ticket or change. The flaw is fixed in 11.0.7 and there is no public exploit identified at time of analysis, but the high CVSS 4.0 score (7.1) reflects the broad confidentiality/integrity/availability impact on the victim's session once triggered.

Technical ContextAI

GLPI is an open-source IT asset and service management platform widely used to track tickets, changes, problems and the financial costs attached to them (ITIL cost entries). The vulnerable code path is the input handling for cost fields in the ITIL module, which fails to properly neutralize user-supplied script content before rendering it back to other users - a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS sink. Because GLPI renders cost data in the standard ticket/change UI, the injected payload runs with the privileges and cookies of whichever user later opens that record, including higher-privileged staff or administrators.

Affected ProductsAI

GLPI asset and IT service management software, versions 11.0.0 through 11.0.6 inclusive, are affected; version 11.0.7 contains the fix. CPE data was not supplied in the intelligence feed, but the vendor advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-rhmv-j773-4gvh is the authoritative reference. Earlier 10.x or pre-11.0.0 branches are not listed as affected in the provided data and should be confirmed separately with the project.

RemediationAI

Vendor-released patch: GLPI 11.0.7 - upgrade any 11.0.0 through 11.0.6 instance to 11.0.7 or later as the primary remediation, following the upgrade guidance referenced in https://github.com/glpi-project/glpi/security/advisories/GHSA-rhmv-j773-4gvh. Where an immediate upgrade is not possible, restrict which accounts hold the technician profile and the right to add or edit ITIL cost entries, since exploitation requires that privilege; review existing cost records for suspicious HTML or script content and sanitize them; and consider enforcing a strict Content-Security-Policy on the GLPI front end to blunt inline script execution, accepting that some plugins or custom dashboards may break under a tight CSP.

Share

CVE-2026-40108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy