Skip to main content

GLPI Tag Plugin EUVDEUVD-2026-42614

| CVE-2026-53987 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 VulnCheck GHSA-qc6r-wrm6-23pm
7.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Injection needs TAG MANAGEMENT rights (PR:H) and a victim opening the Kanban view (UI:R); stored XSS crosses into the victim's browser context (S:C) with limited confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 17:06 vuln.today

DescriptionCVE.org

The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.

AnalysisAI

Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain account with TAG MANAGEMENT rights
Delivery
Create tag name with JavaScript payload
Exploit
Attach tag to ticket or project
Execution
Victim opens Kanban view
Persist
Stored script executes in victim session
Impact
Abuse victim's GLPI privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated GLPI account that holds the TAG MANAGEMENT 'create' or 'update' right (PR:H) - this is the exact gating feature named in the description; anonymous or low-privilege users cannot trigger it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 7.3 (High) with vector AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H, meaning network reach but two meaningful gates: high privileges (PR:H - the attacker must already hold TAG MANAGEMENT create/update rights) and passive user interaction (UI:P - a victim must open the Kanban view). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has (or has phished/compromised) a GLPI account with TAG MANAGEMENT create/update rights creates or edits a tag whose name contains a JavaScript payload, then attaches that tag to a ticket, problem, change, or project. When a technician or administrator later opens the Kanban view of that object, the badge markup renders and the script executes in their authenticated session - enabling session-context actions such as CSRF-style requests or data exfiltration. …
Remediation Vendor-released patch: upgrade the Tag plugin to version 2.14.4 or later (release: https://github.com/pluginsGLPI/tag/releases/tag/2.14.4, fixing commit 49e6b6eb5f83bcd84139a5e5ec54c0ddd14acc90, advisory: https://github.com/pluginsGLPI/tag/security/advisories/GHSA-6rpj-89c7-x2mh). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all GLPI instances running Tag plugin versions before 2.14.4; immediately restrict TAG MANAGEMENT create/update privileges to a minimal set of trusted administrators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy