How is CVE-2026-40108 exploited?

Network reachability (required): The attacker must reach the GLPI web interface over the network to inject the payload and the victim must load the affected page from a networked browser. Authentication (required): The attacker must hold a valid technician-level account; any low-privilege technician account is sufficient to write to ITIL cost fields. Victim interaction (required): A separate user must open the poisoned ITIL cost entry in their browser for the stored script to execute, requiring a social-engineering or routine-use trigger. Attack complexity (info): Exploitation depends on environmental factors: the attacker must successfully store the payload and wait for a victim to view it, though no race condition or memory-layout constraint is involved.

What is the impact of CVE-2026-40108?

Reads the authenticated victim's session token, enabling account takeover without further credentials. Performs actions in the GLPI interface as the victim, including modifying or deleting IT asset records and tickets. Exfiltrates any data visible to the victim in the current GLPI session, such as configuration details, cost records, and user contact information. Injects secondary payloads or redirects the victim's browser to attacker-controlled infrastructure.

Back to search

HIGHCVE-2026-40108Published 2026-06-02Modified 2026-06-03CNA GitHub_M

CVE-2026-40108: GLPI Vulnerable to Stored XSS in ITIL Costs

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in GLPI affects versions 11.0.0 through 11.0.6. An authenticated attacker with technician-level privileges can inject a malicious script into ITIL cost fields; the script executes in the browser of any user who later views that cost entry. Successful exploitation gives the attacker control over the victim's browser session, enabling data theft, account takeover, or unauthorized actions performed as the victim. A patched-image rebuild at version 11.0.7 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle GLPI. Any image running a version between 11.0.0 and 11.0.6 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 (High) and weights it against each environment's compliance policy before routing the alert to the appropriate team inbox. Per-environment policy weighting allows organizations with stricter SLAs for web-application vulnerabilities to escalate priority automatically.

Available

Patch

A patched-image rebuild targeting GLPI 11.0.7 becomes available through HarborGuard once a base image containing the fix is resolvable. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the GLPI web interface over the network to inject the payload and the victim must load the affected page from a networked browser.
AuthenticationRequired
The attacker must hold a valid technician-level account; any low-privilege technician account is sufficient to write to ITIL cost fields.
Victim interactionRequired
A separate user must open the poisoned ITIL cost entry in their browser for the stored script to execute, requiring a social-engineering or routine-use trigger.
Attack complexityDetail
Exploitation depends on environmental factors: the attacker must successfully store the payload and wait for a victim to view it, though no race condition or memory-layout constraint is involved.

Blast Radius

Reads the authenticated victim's session token, enabling account takeover without further credentials.
Performs actions in the GLPI interface as the victim, including modifying or deleting IT asset records and tickets.
Exfiltrates any data visible to the victim in the current GLPI session, such as configuration details, cost records, and user contact information.
Injects secondary payloads or redirects the victim's browser to attacker-controlled infrastructure.

How HarborGuard Handles This

Available on HarborGuard: once a base image carrying GLPI 11.0.7 is resolvable, a patched-image rebuild is made available and flagged against any customer image found running an affected version (11.0.0 to 11.0.6). For customers with auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Because this is a stored XSS issue, organizations that cannot immediately redeploy should consider restricting ITIL cost write access to the minimum necessary role set via GLPI's built-in permission controls, and applying a web application firewall rule to block script-bearing input in cost fields as a compensating control until the patched image is in place.

See how HarborGuard automates this

Affected packages

glpi-project / glpi
>= 11.0.0, < 11.0.7

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-rhmv-j773-4gvh

Metrics

Get notified