CVE-2026-25932 Overview
CVE-2026-25932 is a stored Cross-Site Scripting (XSS) vulnerability affecting GLPI, a widely-used Free Asset and IT Management Software package. The vulnerability exists in versions from 0.60 to before 10.0.24 and allows an authenticated technician user to store malicious XSS payloads in supplier fields. When other users view the affected supplier records, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions.
Critical Impact
Authenticated technicians can inject persistent XSS payloads that execute when administrators or other users view supplier records, potentially compromising sensitive IT management data and session tokens.
Affected Products
- GLPI versions 0.60 through 10.0.23
- glpi-project GLPI (all installations running vulnerable versions)
- Self-hosted and managed GLPI deployments
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-25932 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-25932
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) resides in the supplier management functionality of GLPI. The application fails to properly sanitize user-supplied input when technicians create or modify supplier records. Specifically, certain supplier fields do not undergo adequate output encoding when rendered in the web interface.
The vulnerability requires authentication with technician-level privileges, which limits the initial attack surface. However, once a malicious payload is stored, it executes in the context of any user who views the compromised supplier record—including administrators with elevated privileges. This privilege escalation potential makes the vulnerability particularly concerning in multi-user GLPI environments where separation of duties is expected.
The stored nature of this XSS means the payload persists in the database and triggers repeatedly whenever the affected page is loaded, maximizing the attack's potential reach without requiring additional attacker interaction.
Root Cause
The root cause of CVE-2026-25932 is improper input validation and output encoding in the supplier fields handling code. When supplier data is saved to the database and subsequently displayed to users, the application fails to properly escape HTML special characters and JavaScript code. This allows attackers to inject script tags or event handlers that execute when the browser parses the rendered page.
The vulnerability affects a broad range of GLPI versions (0.60 through 10.0.23), indicating this input handling flaw has been present in the codebase for an extended period.
Attack Vector
The attack vector is network-based and requires an authenticated session with technician privileges. The attacker workflow involves:
- Authenticating to GLPI with a valid technician account
- Navigating to the supplier management section
- Creating or editing a supplier record
- Inserting malicious JavaScript payload into vulnerable supplier fields
- Saving the record to persist the payload in the database
Once stored, the XSS payload executes automatically when any user (including administrators) views the compromised supplier record. The attacker can leverage this to steal session cookies, perform actions on behalf of the victim user, exfiltrate sensitive IT asset information, or further compromise the GLPI installation.
For detailed technical information about the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-25932
Indicators of Compromise
- Unusual JavaScript content in supplier database fields including <script> tags, event handlers (onerror, onload, onclick), or encoded script payloads
- Unexpected outbound network requests from user browsers when viewing supplier pages
- Session token theft attempts visible in web application firewall logs
- Anomalous activity from user accounts following supplier record access
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Deploy web application firewalls (WAF) with rules to identify XSS payload patterns in form submissions
- Enable GLPI audit logging to track supplier record modifications by technician accounts
- Use browser-based XSS detection tools during security assessments
Monitoring Recommendations
- Monitor GLPI application logs for suspicious supplier field modifications containing HTML/JavaScript
- Set up alerts for CSP violation reports indicating blocked script execution
- Review technician account activity for bulk supplier record modifications
- Implement database integrity monitoring to detect unauthorized script injection in supplier tables
How to Mitigate CVE-2026-25932
Immediate Actions Required
- Upgrade GLPI to version 10.0.24 or later immediately to remediate this vulnerability
- Review existing supplier records for potentially malicious content prior to upgrade
- Temporarily restrict technician access to supplier management functionality until patched
- Implement Content Security Policy headers as a defense-in-depth measure
Patch Information
The GLPI project has released version 10.0.24 which addresses this stored XSS vulnerability. Organizations should upgrade to this version or later as soon as possible. The official security advisory is available at the GLPI GitHub Security Advisory page.
Before upgrading, administrators should back up their GLPI database and configuration files. After applying the patch, review existing supplier records to identify and clean any previously injected malicious content.
Workarounds
- Implement strict Content Security Policy (CSP) headers to prevent inline script execution as a temporary mitigation
- Restrict supplier management permissions to only essential trusted users until the patch is applied
- Deploy web application firewall rules to filter XSS payloads in form submissions targeting supplier fields
- Manually audit and sanitize existing supplier records to remove any injected scripts
# Example CSP header configuration for Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
# For nginx, add to server block
# add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
