Skip to main content

Glpi 11

1 CVEs product

Monthly

CVE-2026-53987 HIGH PATCH This Week

Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. No public exploit identified at time of analysis; the issue was reported by VulnCheck and a vendor patch (2.14.4) is available.

XSS Glpi 11
NVD GitHub
CVSS 4.0
7.3
EPSS
0.3%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored cross-site scripting in the Tag plugin for GLPI 11 (versions before 2.14.4) allows an authenticated user holding TAG MANAGEMENT create/update rights to persist an HTML/JavaScript payload in a tag name, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. The flaw stems from PluginTagTag::preKanbanContent() rendering the unsanitized tag name into badge markup without output escaping. No public exploit identified at time of analysis; the issue was reported by VulnCheck and a vendor patch (2.14.4) is available.

XSS Glpi 11
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy