CVE-2025-26626 MEDIUM

CVE-2025-26626: GLPI Inventory Plugin vulnerable to reflective Cross-site Scripting

Vendor Glpi-Project

Product glpi-inventory-plugin

Weakness CWE-79 · XSS

Published March 14, 2025

Last update March 14, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue.

Key dates

02Disclosure timeline

March 14, 2025 CVE published

March 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-26626

Related vulnerabilities

04Related CVE

CVE-2024-11277 404 Solution <= 2.35.19 - Reflected Cross-Site Scripting CVE-2025-7142 SourceCodester Best Salon Management System search-appointment.php cross site scripting CVE-2023-43647 baserCMS Cross-site Scripting vulnerability in File upload Feature CVE-2024-43318 WordPress E2Pdf – Export To Pdf Tool for WordPress plugin <= 1.25.05 - Cross Site Scripting (XSS) vulnerability CVE-2025-10180 Markdown Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting