Main Vulnerability Database Vulnerabilities #VU124958

#VU124958 Stored cross-site scripting in GLPI - CVE-2026-25932

Published: April 6, 2026

Vulnerability identifier: #VU124958

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25932

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GLPI

Software vendor:
glpi-project

Description

The vulnerability allows a remote user to execute arbitrary script code in the context of the application.

The vulnerability exists due to improper encoding or escaping of output in supplier fields when handling user-supplied supplier data. A remote privileged user can store an XSS payload in supplier fields to execute arbitrary script code in the context of the application.

Remediation

Install security update from vendor's website.

External links

https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh
https://github.com/advisories/GHSA-m627-945g-x7xh

#VU124958 Stored cross-site scripting in GLPI - CVE-2026-25932

Description

Remediation

External links

Please verify you're human