CVE-2026-26027 HIGH

CVE-2026-26027: GLPI has an Unauthenticated Stored XSS via inventory

Vendor Glpi-Project
Product glpi
Weakness CWE-79 · XSS
Published April 6, 2026
Last update April 7, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 7, 2026 Record updated