CVE-2026-40108 Overview
CVE-2026-40108 is a stored Cross-Site Scripting (XSS) vulnerability in GLPI, a free asset and IT management software package. The flaw affects GLPI versions 11.0.0 through 11.0.6 and allows an authenticated technician to store a malicious script payload within ITIL costs records. When other users view the affected ticket or change record, the payload executes in their browser session. The issue is tracked under [CWE-79] and was fixed in GLPI version 11.0.7.
Critical Impact
An authenticated technician can persist JavaScript in ITIL cost fields, enabling session theft, privilege escalation, or unauthorized actions against higher-privileged users who view the record.
Affected Products
- GLPI 11.0.0
- GLPI versions 11.0.1 through 11.0.5
- GLPI 11.0.6
Discovery Timeline
- 2026-06-02 - CVE-2026-40108 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-40108
Vulnerability Analysis
The vulnerability is a stored XSS condition in the ITIL costs functionality of GLPI. ITIL costs are line items associated with tickets, problems, and changes that record financial information tied to IT service management workflows. The application stores values supplied to these cost fields and later renders them in HTML contexts without sufficient output encoding.
Because the payload is persisted server-side, every user who subsequently loads the affected record triggers script execution in their own session. Exploitation requires an account with technician privileges, raising the attack complexity but keeping the impact significant in multi-tenant or managed service environments.
Root Cause
The root cause is improper neutralization of user-supplied input during web page generation, classified as [CWE-79]. Input submitted to ITIL cost fields is not adequately sanitized or contextually encoded before being placed back into rendered HTML, allowing arbitrary script content to survive the storage and display cycle.
Attack Vector
An attacker with valid technician credentials submits a crafted payload through the ITIL cost creation or edit interface. The payload is written to the GLPI database and rendered when administrators, other technicians, or self-service users open the parent ticket. Script execution occurs in the victim's authenticated session, enabling cookie theft, CSRF-style actions, or interface manipulation. Technical details are available in the GitHub Security Advisory GHSA-rhmv-j773-4gvh.
Detection Methods for CVE-2026-40108
Indicators of Compromise
- Unexpected HTML tags or <script>, onerror, or javascript: strings stored in glpi_ticketcosts, glpi_problemcosts, or glpi_changecosts database tables.
- Outbound HTTP requests from administrator browsers to attacker-controlled domains shortly after viewing ITIL tickets.
- Anomalous session activity from administrative accounts immediately following a technician's cost record edit.
Detection Strategies
- Review GLPI application logs for ITIL cost create and update events authored by non-administrative technician accounts.
- Query the GLPI database for cost record fields containing HTML control characters such as <, >, or quoted event handlers.
- Inspect web server access logs for repeated GET requests to ticket detail pages followed by outbound connections from privileged user IPs.
Monitoring Recommendations
- Enable a Content Security Policy (CSP) in reporting mode on the GLPI front end and forward violation reports to a centralized log platform.
- Alert on edits to ITIL cost objects performed by accounts that do not normally interact with billing data.
- Monitor session cookie reuse from multiple source IP addresses, which can indicate post-XSS session hijacking.
How to Mitigate CVE-2026-40108
Immediate Actions Required
- Upgrade all GLPI instances running 11.0.0 through 11.0.6 to version 11.0.7 or later.
- Audit existing ITIL cost records in tickets, problems, and changes for stored HTML or script content and remove malicious entries.
- Review the technician role membership and revoke access for accounts that do not require ITIL cost editing.
Patch Information
GLPI version 11.0.7 resolves CVE-2026-40108 by properly sanitizing ITIL cost field input before storage and applying context-aware output encoding during HTML rendering. Refer to the GLPI GitHub Security Advisory for fix details and upgrade guidance.
Workarounds
- Restrict the technician profile so that only trusted staff can create or modify ITIL cost entries until the patch is applied.
- Deploy a strict Content Security Policy that disallows inline scripts to reduce the impact of stored XSS execution.
- Place a web application firewall rule in front of GLPI to block request bodies containing common XSS patterns targeting cost endpoints.
# Configuration example: upgrade GLPI to the fixed release
cd /var/www/glpi
php bin/console glpi:maintenance:enable
git fetch --tags
git checkout 11.0.7
composer install --no-dev --optimize-autoloader
php bin/console db:update --allow-unstable
php bin/console glpi:maintenance:disable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
