What is CVE-2026-26027?

CVE-2026-26027 is a high-severity vulnerability in Glpi-project Glpi, classified under Cross-site Scripting. CVSS score: 7.5/10. Published 2026-04-06.

How severe is CVE-2026-26027?

High severity. CVSS v3 base score is 7.5 out of 10.

XSS in Glpi-project Glpi

CVE-2026-26027

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (20.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Glpi-project Glpi — versions >= 11.0.0, < 11.0.6

Weakness classification (CWE)

CWE-79 — Cross-site Scripting
CWE-116 — Improper Encoding or Escaping of Output
CWE-306 — Missing Authentication for Critical Function

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-chch-wcm9-f9cp (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-26027?: CVE-2026-26027 is a high-severity vulnerability in Glpi-project Glpi, classified under Cross-site Scripting. CVSS score: 7.5/10. Published 2026-04-06.
How severe is CVE-2026-26027?: High severity. CVSS v3 base score is 7.5 out of 10.