GLPI CVE-2026-40108
HIGHSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionGitHub Advisory
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.
AnalysisAI
Stored cross-site scripting in GLPI versions 11.0.0 through 11.0.6 allows an authenticated technician to persist a malicious payload inside ITIL cost records, which then executes in the browser of any user who later views the affected ticket or change. The flaw is fixed in 11.0.7 and there is no public exploit identified at time of analysis, but the high CVSS 4.0 score (7.1) reflects the broad confidentiality/integrity/availability impact on the victim's session once triggered.
Technical ContextAI
GLPI is an open-source IT asset and service management platform widely used to track tickets, changes, problems and the financial costs attached to them (ITIL cost entries). The vulnerable code path is the input handling for cost fields in the ITIL module, which fails to properly neutralize user-supplied script content before rendering it back to other users - a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS sink. Because GLPI renders cost data in the standard ticket/change UI, the injected payload runs with the privileges and cookies of whichever user later opens that record, including higher-privileged staff or administrators.
Affected ProductsAI
GLPI asset and IT service management software, versions 11.0.0 through 11.0.6 inclusive, are affected; version 11.0.7 contains the fix. CPE data was not supplied in the intelligence feed, but the vendor advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-rhmv-j773-4gvh is the authoritative reference. Earlier 10.x or pre-11.0.0 branches are not listed as affected in the provided data and should be confirmed separately with the project.
RemediationAI
Vendor-released patch: GLPI 11.0.7 - upgrade any 11.0.0 through 11.0.6 instance to 11.0.7 or later as the primary remediation, following the upgrade guidance referenced in https://github.com/glpi-project/glpi/security/advisories/GHSA-rhmv-j773-4gvh. Where an immediate upgrade is not possible, restrict which accounts hold the technician profile and the right to add or edit ITIL cost entries, since exploitation requires that privilege; review existing cost records for suspicious HTML or script content and sanitize them; and consider enforcing a strict Content-Security-Policy on the GLPI front end to blunt inline script execution, accepting that some plugins or custom dashboards may break under a tight CSP.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today