CVE-2026-25932 PUBLISHED

GLPI has Stored XSS in Supplier 'Website' field

Assigner: GitHub_M
Reserved: 09.02.2026 Published: 06.04.2026 Updated: 06.04.2026

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	glpi-project
Product	glpi
Versions	Version >= 0.60, < 10.0.24 is affected

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh

Problem Types

CWE-116: Improper Encoding or Escaping of Output CWE
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE