CVE-2026-5385 Overview
CVE-2026-5385 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting GLPI, an open-source IT asset and service management platform. A user with write access to the knowledge base can store a malicious JavaScript payload inside a knowledge base item. When other users view the affected item, the payload executes in their browser session under the GLPI application origin.
The issue affects GLPI versions before 11.0.7 and is resolved in release 11.0.7. The vulnerability is tracked under GitHub Security Advisory GHSA-2fg5-jg72-h338.
Critical Impact
Stored XSS in shared knowledge base content lets an attacker hijack sessions, perform actions on behalf of administrators, and pivot to broader compromise of the GLPI instance.
Affected Products
- GLPI versions prior to 11.0.7
- GLPI knowledge base module
- GLPI deployments exposing knowledge base write permissions to non-administrative users
Discovery Timeline
- 2026-06-02 - CVE-2026-5385 published to the National Vulnerability Database
- 2026-06-03 - Last updated in the NVD database
Technical Details for CVE-2026-5385
Vulnerability Analysis
The flaw is a stored XSS in the GLPI knowledge base. Content submitted to a knowledge base item is persisted and later rendered to other users without sufficient output encoding or sanitization. An attacker who can create or edit a knowledge base entry can inject HTML or JavaScript that executes when victims load the article.
Because knowledge base content is shared across operators, technicians, and administrators, the payload reaches privileged accounts. Exploitation requires user interaction: a victim must view the booby-trapped article. The injected script runs with the victim's session context, enabling actions such as ticket manipulation, data exfiltration, or account takeover when an administrator is targeted. See the GitHub Security Advisory GHSA-2fg5-jg72-h338 for technical details.
Root Cause
The root cause is improper neutralization of input during web page generation in knowledge base item rendering. GLPI stores user-supplied content and renders it back to other users without fully escaping active HTML constructs, allowing script execution in the browser.
Attack Vector
The attack is network-based and requires an authenticated account with knowledge base write privileges. The attacker authors a knowledge base item containing a crafted payload, then waits for another user to open the article. Upon rendering, the script executes within the GLPI origin and inherits the victim's permissions.
No verified public exploit code is available. Refer to the Fluid Attacks Security Advisory and the upstream advisory for additional context.
Detection Methods for CVE-2026-5385
Indicators of Compromise
- Knowledge base items containing <script> tags, javascript: URIs, or HTML event handlers such as onerror=, onload=, or onmouseover=
- Unexpected outbound HTTP requests from administrator browsers to attacker-controlled hosts shortly after viewing knowledge base content
- New or modified GLPI accounts, API tokens, or permission grants created from administrator sessions without operator awareness
Detection Strategies
- Query the GLPI database tables backing knowledge base items for HTML or script patterns indicative of injection attempts
- Review web server access logs for suspicious POST requests to knowledge base endpoints by non-administrative accounts
- Correlate browser-side Content Security Policy (CSP) violation reports with knowledge base page loads
Monitoring Recommendations
- Audit which accounts hold knowledge base write permissions and flag any unusual additions
- Monitor GLPI application logs for edits to knowledge base entries followed by privileged actions from viewer accounts
- Track outbound traffic from workstations used by GLPI administrators for anomalous destinations
How to Mitigate CVE-2026-5385
Immediate Actions Required
- Upgrade GLPI to version 11.0.7 or later as published in the GLPI 11.0.7 release
- Inventory existing knowledge base content and remove or sanitize entries containing script tags or inline event handlers
- Restrict knowledge base write permissions to trusted accounts and revoke unnecessary editor roles
Patch Information
The vendor addressed the vulnerability in GLPI 11.0.7. Source code, release notes, and the fix commit are available in the GLPI project repository. Operators running self-hosted GLPI instances should plan an upgrade window and validate database migrations before promoting to production.
Workarounds
- Temporarily revoke write access to the knowledge base for non-administrative profiles until the upgrade is applied
- Deploy a strict Content Security Policy at the web server or reverse proxy layer to limit inline script execution
- Place GLPI behind a web application firewall with rules to block common XSS payload patterns in knowledge base POST requests
# Example: enforce a restrictive CSP header at an Nginx reverse proxy
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
