CVE-2026-26026 CRITICAL

CVE-2026-26026: GLPI has a Server-Side Template Injection via Double-Compilation

Vendor Glpi-Project
Product glpi
Weakness CWE-94 · Code injection
Published April 6, 2026
Last update April 7, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 7, 2026 Record updated