Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Injection needs TAG MANAGEMENT rights (PR:H) and a victim opening the Kanban view (UI:R); stored XSS crosses into the victim's browser context (S:C) with limited confidentiality/integrity impact and no availability effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.
AnalysisAI
Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated GLPI account that holds the TAG MANAGEMENT 'create' or 'update' right (PR:H) - this is the exact gating feature named in the description; anonymous or low-privilege users cannot trigger it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score is 7.3 (High) with vector AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H, meaning network reach but two meaningful gates: high privileges (PR:H - the attacker must already hold TAG MANAGEMENT create/update rights) and passive user interaction (UI:P - a victim must open the Kanban view). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has (or has phished/compromised) a GLPI account with TAG MANAGEMENT create/update rights creates or edits a tag whose name contains a JavaScript payload, then attaches that tag to a ticket, problem, change, or project. When a technician or administrator later opens the Kanban view of that object, the badge markup renders and the script executes in their authenticated session - enabling session-context actions such as CSRF-style requests or data exfiltration. … |
| Remediation | Vendor-released patch: upgrade the Tag plugin to version 2.14.4 or later (release: https://github.com/pluginsGLPI/tag/releases/tag/2.14.4, fixing commit 49e6b6eb5f83bcd84139a5e5ec54c0ddd14acc90, advisory: https://github.com/pluginsGLPI/tag/security/advisories/GHSA-6rpj-89c7-x2mh). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all GLPI instances running Tag plugin versions before 2.14.4; immediately restrict TAG MANAGEMENT create/update privileges to a minimal set of trusted administrators. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42614
GHSA-qc6r-wrm6-23pm