Which versions of GLPI are affected by EUVD-2026-34097?

GLPI versions 10.0.4-10.0.24 contain a stored cross-site scripting vulnerability (CVSS 8.4) with no public exploit identified at time of analysis.. A patch is available.

How to fix or mitigate EUVD-2026-34097?

Within 24 hours: Inventory all GLPI deployments and document which instances run vulnerable versions (10.0.4-10.0.24). Within 7 days: Apply vendor patch to all affected systems. Within 30 days: Verify patch deployment completion and evaluate additional access controls for technician asset modifications.

GLPI EUVD-2026-34097

Q: What is the CVSS score of EUVD-2026-34097?

EUVD-2026-34097 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-42321 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-06-03 GitHub_M

XSS Glpi

8.4

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Jun 03, 2026 - 18:30 vuln.today

Patch available

Jun 03, 2026 - 17:01 EUVD

CVSS changed

Jun 03, 2026 - 16:22 NVD

8.4 (HIGH)

CVE Published

Jun 03, 2026 - 15:25 nvd

UNKNOWN (no severity yet)

DescriptionGitHub Advisory

GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

AnalysisAI

Stored cross-site scripting in GLPI 10.0.4 through 10.0.24 allows an authenticated technician to persist a malicious JavaScript payload in the asset locked tab, which executes in the browser of any subsequent user who views the affected asset. The flaw carries a CVSS 4.0 score of 8.4 driven by high impact on confidentiality, integrity, and availability of the victim session, though exploitation requires high privileges (technician role) and user interaction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as technician to GLPI

Delivery

Open target asset locked tab

Exploit

Store crafted JavaScript payload

Execution

Wait for admin to view asset

Persist

Script executes in admin session

Impact

Hijack session and abuse GLPI privileges