How is CVE-2026-5385 exploited?

Network reachability (required): The attacker must reach the GLPI knowledge base interface over the network; the service must be exposed to an accessible network endpoint. Authentication (required): A high-privilege account with write access to the knowledge base is needed to store the malicious payload. Victim interaction (required): A separate user must open and view the poisoned knowledge base item, making this a social-engineering or passive-wait scenario. Attack complexity (info): The exploit is reliable and condition-free once the attacker has the required account; no race conditions or specific memory layout are involved.

What is the impact of CVE-2026-5385?

Reads sensitive data accessible in the victim's browser session, including session tokens, credentials auto-filled by the browser, and any GLPI data rendered on the page. Performs actions in GLPI on behalf of the victim, including modifying records, creating users, or changing configuration, at whatever privilege level the victim holds. Disrupts the victim's active session by redirecting the browser, logging the user out, or rendering the application unusable for that session.

Back to search

HIGHCVE-2026-5385Published 2026-06-02Modified 2026-06-03CNA Fluid Attacks

CVE-2026-5385: GLPI 11.0.0 - Stored XSS in knowledge base

An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: 11.0.7
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in GLPI's knowledge base allows an attacker with write access to the knowledge base to inject malicious scripts into knowledge base items. The vulnerability is reachable over the network and requires a high-privilege account to create or edit knowledge base entries; exploitation is triggered when another user views the poisoned item. Successful exploitation gives the attacker full read and write access to data in the victim's browser session, and can disrupt the victim's use of the application. A patched-image rebuild at version 11.0.7 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-5385 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of its publication, including custom-built images that bundle GLPI. HarborGuard ingests from upstream advisory feeds continuously, so any image found running a version of glpi-project/glpi before 11.0.7 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.4 (HIGH) and weighting that score against each customer environment's compliance policy before routing the finding to the appropriate team inbox. Per-environment policy configuration lets customers define escalation thresholds, ensuring high-severity findings like this one surface to the right reviewers without noise.

Available

Patch

A patched-image rebuild at glpi version 11.0.7 becomes available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the GLPI knowledge base interface over the network; the service must be exposed to an accessible network endpoint.
AuthenticationRequired
A high-privilege account with write access to the knowledge base is needed to store the malicious payload.
Victim interactionRequired
A separate user must open and view the poisoned knowledge base item, making this a social-engineering or passive-wait scenario.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker has the required account; no race conditions or specific memory layout are involved.

Blast Radius

Reads sensitive data accessible in the victim's browser session, including session tokens, credentials auto-filled by the browser, and any GLPI data rendered on the page.
Performs actions in GLPI on behalf of the victim, including modifying records, creating users, or changing configuration, at whatever privilege level the victim holds.
Disrupts the victim's active session by redirecting the browser, logging the user out, or rendering the application unusable for that session.

How HarborGuard Handles This

Available on HarborGuard: for any image found running glpi-project/glpi before 11.0.7, a rebuild at the fixed version 11.0.7 is prepared as soon as the fix version is registered in the advisory feed. For customers who opt into auto-remediation, the full flow (image rebuild, regression test run, and a PR opened against affected workloads) is available with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the HarborGuard findings dashboard for reviewer sign-off. Customers who cannot immediately upgrade can apply compensating controls such as restricting knowledge base write permissions to the smallest necessary set of accounts and placing the GLPI interface behind a network policy that limits lateral access from the application tier.

See how HarborGuard automates this

Fix available

11.0.7

Patch commits

github.com

Affected packages

glpi-project / glpi
< 11.0.7 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available