How is CVE-2026-42321 exploited?

Network reachability (required): The attacker must reach the GLPI web interface over the network to inject and trigger the stored payload. Authentication (required): A technician-level account (low-privilege relative to admin, but still an authenticated role) is needed to store the XSS payload in the asset locked tab. Victim interaction (required): A second user, such as an administrator or another technician, must open the affected asset locked tab in their browser for the stored payload to execute. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions or specific memory layout requirements are involved.

What is the impact of CVE-2026-42321?

Reads session tokens, cookies, and any sensitive data visible in the victim's active GLPI browser session. Performs actions within GLPI on behalf of the victim, including modifying asset records or configuration items. Crashes or disrupts the victim's GLPI interface session, forcing re-authentication or data loss in unsaved forms.

Back to search

HIGHCVE-2026-42321Published 2026-06-03Modified 2026-06-03CNA GitHub_M

CVE-2026-42321: GLPI has stored XSS in asset locks

GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) affects GLPI, the open-source IT asset management platform, in versions 10.0.4 through 10.0.24. An authenticated attacker with technician-level privileges can inject a malicious script into the asset locked tab; the payload executes in a victim's browser when they view the affected page. Successful exploitation gives the attacker full read and write access to data in the victim's browser session and can disrupt the availability of the affected interface. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from GLPI base layers.

Available

Triage

HarborGuard scores this finding at CVSS 8.4 (High) using the v4.0 vector and weights it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment 10.0.25 or 11.0.7 appears in the upstream release feed. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the GLPI web interface over the network to inject and trigger the stored payload.
AuthenticationRequired
A technician-level account (low-privilege relative to admin, but still an authenticated role) is needed to store the XSS payload in the asset locked tab.
Victim interactionRequired
A second user, such as an administrator or another technician, must open the affected asset locked tab in their browser for the stored payload to execute.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions or specific memory layout requirements are involved.

Blast Radius

Reads session tokens, cookies, and any sensitive data visible in the victim's active GLPI browser session.
Performs actions within GLPI on behalf of the victim, including modifying asset records or configuration items.
Crashes or disrupts the victim's GLPI interface session, forcing re-authentication or data loss in unsaved forms.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42321 is active across all connected environments, matching any image that ships an affected GLPI version (10.0.4 through 10.0.24). Because no upstream patch has been published at the time of this writing, HarborGuard monitors the GLPI release feed on every ingest cycle and will make a patched-image rebuild available automatically when 10.0.25 or 11.0.7 is released. For customers with auto-remediation enabled, the transition from vulnerable to patched image will trigger a rebuild, regression test run, and a PR opened against affected workloads without requiring manual steps. In the interim, compensating controls worth considering include network-policy isolation that restricts GLPI access to known internal IP ranges, egress filtering on the GLPI container to limit script exfiltration destinations, and access-control review to minimize the number of accounts granted technician-level privileges.

See how HarborGuard automates this

Affected packages

glpi-project / glpi
>= 10.0.4, < 10.0.25

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-hwjc-8228-55x4

Metrics

Get notified