CVE-2026-42321 Overview
CVE-2026-42321 is a stored Cross-Site Scripting (XSS) vulnerability in GLPI, a free, open-source asset and IT management software package. The flaw affects GLPI versions 10.0.4 through 10.0.24. An authenticated technician can store a malicious JavaScript payload in the asset locked tab. The payload executes in the browser of any user who subsequently views the affected asset, enabling session theft, action hijacking, and lateral compromise inside the GLPI application.
The vulnerability is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation. It is fixed in GLPI 10.0.25 and 11.0.7.
Critical Impact
An authenticated technician can persist arbitrary JavaScript that executes against higher-privileged GLPI users, including administrators viewing the same asset.
Affected Products
- GLPI 10.0.4 through 10.0.24
- GLPI 11.0.x releases prior to 11.0.7
- GLPI deployments exposing the asset locked tab to technician-level users
Discovery Timeline
- 2026-06-03 - CVE-2026-42321 published to the National Vulnerability Database
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-42321
Vulnerability Analysis
The vulnerability is a stored (persistent) XSS in the GLPI asset locked tab. GLPI tracks objects that have been locked or marked deleted across asset types, and the locked tab renders metadata supplied by the user who triggered the lock. The rendering path fails to neutralize HTML control characters, so attacker-controlled input is returned to the browser as executable markup.
Because the payload is persisted server-side, every subsequent visitor to the asset locked tab executes it under their own session. Technicians and administrators with broader permissions typically review locked assets during routine cleanup, which expands the blast radius beyond the original attacker's privileges.
Successful exploitation lets the attacker run JavaScript in the victim's authenticated session. That includes reading the GLPI DOM, issuing authenticated API requests, modifying tickets and asset records, or pivoting toward administrator account takeover through CSRF-style actions.
Root Cause
The root cause is missing or insufficient output encoding when rendering user-controlled fields in the asset locked tab template. Input accepted from a technician is stored in the database and later inlined into HTML without context-aware escaping, violating CWE-79.
Attack Vector
Exploitation requires an authenticated GLPI account with technician privileges and victim interaction in the form of opening the affected asset's locked tab. The attacker submits a crafted payload through normal asset lock workflows. When any GLPI user later views the locked tab, the payload executes in their browser context.
For technical specifics, refer to the GLPI GitHub Security Advisory GHSA-hwjc-8228-55x4.
Detection Methods for CVE-2026-42321
Indicators of Compromise
- Unexpected <script>, onerror=, onload=, or javascript: strings stored in GLPI asset records or lock-related tables
- Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after opening a GLPI asset
- Sudden creation, escalation, or modification of GLPI accounts following a technician's asset lock activity
Detection Strategies
- Inspect GLPI database fields associated with the locked tab for HTML or JavaScript tokens using SQL queries that match on <, >, and event handler patterns
- Enable and review GLPI application logs for anomalous asset lock or modification events tied to technician accounts
- Deploy a Content Security Policy (CSP) in report-only mode in front of GLPI to surface inline script violations originating from stored content
Monitoring Recommendations
- Forward GLPI web server and application logs to a centralized SIEM and alert on POST requests containing script-like payloads to asset endpoints
- Monitor administrator session activity for API calls that do not match interactive UI workflows, which can indicate XSS-driven automation
- Track GLPI version strings across the estate to confirm patched builds remain deployed after upgrade
How to Mitigate CVE-2026-42321
Immediate Actions Required
- Upgrade GLPI to version 10.0.25 or 11.0.7, which contain the official fix
- Audit existing locked-tab content for stored script payloads and sanitize or remove any suspicious records before re-enabling access
- Review technician account activity logs covering the period prior to upgrade for signs of payload insertion
Patch Information
The GLPI project released fixed versions 10.0.25 and 11.0.7. The patch and advisory are published in GitHub Security Advisory GHSA-hwjc-8228-55x4. Apply the upgrade through the standard GLPI update procedure and run the database migration scripts shipped with the release.
Workarounds
- Restrict the technician profile so that only trusted accounts can lock or unlock assets until the upgrade is completed
- Place GLPI behind a web application firewall with rules that block common stored XSS payloads on asset endpoints
- Enforce a strict Content Security Policy that disallows inline scripts to reduce the impact of any residual stored payloads
# Verify the installed GLPI version after upgrade
php bin/console --version
grep -R "GLPI_VERSION" /var/www/glpi/inc/define.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
