Which versions of GLPI are affected by EUVD-2026-34006?

GLPI allows knowledge base content editors to inject malicious code that executes in the browsers of all organization members accessing affected documentation, enabling credential theft and account…. A patch is available.

How to fix or mitigate EUVD-2026-34006?

Within 24 hours: Identify all GLPI instances and document their versions; restrict knowledge base editor access if patch deployment cannot complete within 48 hours. Within 7 days: Upgrade all GLPI instances to version 11.0.7 or later and review knowledge base modification logs for unauthorized or suspicious content additions. Within 30 days: Verify patch deployment across all systems, implement HTTP Content-Security-Policy headers to prevent inline script execution, and scan knowledge base records for residual malicious payloads.

GLPI EUVD-2026-34006

Q: What is the CVSS score of EUVD-2026-34006?

EUVD-2026-34006 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-5385 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-06-02 Fluid Attacks

XSS Glpi

8.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 02, 2026 - 22:30 vuln.today

Analysis Generated

Jun 02, 2026 - 22:30 vuln.today

CVSS changed

Jun 02, 2026 - 20:22 NVD

8.4 (HIGH)

CVE Published

Jun 02, 2026 - 18:32 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item.

This issue affects glpi: before 11.0.7.

AnalysisAI

Stored cross-site scripting in GLPI before 11.0.7 allows an attacker with write access to the knowledge base to embed a persistent XSS payload that executes in the browsers of users who later view the affected knowledge base item. The flaw was reported by Fluid Attacks and is rated High severity (CVSS 8.4) by the vendor, who shipped a fix in the 11.0.7 security release; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain GLPI account with KB write role

Delivery

Craft malicious KB article with XSS payload

Exploit

Save article to knowledge base

Install

Victim technician/admin opens article

Payload executes in victim's session

Execute

Steal session/CSRF token or call privileged APIs

Impact

Escalate within GLPI tenant