CVE-2026-25590 in glpi-inventory-plugin
Summary
by MITRE • 03/04/2026
The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The GLPI Inventory Plugin represents a critical component in enterprise IT asset management systems, providing network discovery capabilities, inventory tracking, software deployment functions, and comprehensive data collection services for GLPI agents. This plugin serves as a bridge between organizational infrastructure and centralized management platforms, making it a prime target for attackers seeking to compromise IT governance systems. The vulnerability identified in versions prior to 1.6.6 manifests as a reflected cross-site scripting flaw within task job processing mechanisms, specifically affecting the plugin's handling of user input during network discovery and inventory operations. The reflected XSS vulnerability occurs when the plugin fails to properly sanitize or escape user-supplied data before incorporating it into HTTP responses, allowing malicious actors to inject malicious scripts that execute in the context of authenticated users' browsers.
The technical exploitation of this vulnerability involves crafting malicious input that gets reflected back to users through the plugin's web interface during task job execution processes. Attackers can leverage this weakness by manipulating parameters within network discovery or inventory tasks, potentially injecting JavaScript code that executes when other users view the affected task job results. The vulnerability directly maps to CWE-79, which categorizes cross-site scripting flaws as weaknesses in input validation and output encoding, specifically addressing the failure to properly encode data before rendering it in web contexts. This weakness enables attackers to bypass security controls that rely on browser-based validation, potentially allowing unauthorized access to sensitive system information, session hijacking, or redirection to malicious domains. The reflected nature of the vulnerability means that the malicious script is not stored on the server but rather injected through crafted URLs or parameters, making it particularly challenging to detect and prevent through traditional server-side security measures.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to compromise the integrity of IT asset management data and potentially escalate privileges within the GLPI environment. When authenticated users interact with affected task job displays, they become vulnerable to session theft, data exfiltration, or manipulation of inventory records that could affect critical infrastructure decisions. The vulnerability affects the core functionality of network discovery and inventory collection processes, potentially allowing attackers to gather sensitive information about network topology, device configurations, or software inventories. This threat is particularly concerning in enterprise environments where GLPI systems manage critical infrastructure assets and where the compromise of inventory data could lead to unauthorized access to network resources or disruption of IT operations. The vulnerability's presence in the task job processing component means that any user with access to create or view task jobs could be exposed to this attack vector, potentially affecting system administrators, IT operators, or other privileged users who regularly interact with the plugin's interface.
Mitigation strategies for this reflected XSS vulnerability require immediate implementation of version updates to GLPI Inventory Plugin 1.6.6 or later, which contains the necessary security patches to address the input validation weaknesses. Organizations should conduct comprehensive vulnerability assessments to identify all systems running affected plugin versions and ensure proper patch management procedures are in place for future updates. Network monitoring solutions should be configured to detect suspicious traffic patterns that may indicate exploitation attempts, particularly around task job parameters and network discovery operations. Input validation controls should be implemented at multiple layers including web application firewalls, API gateways, and application-level sanitization routines to provide defense in depth. The security community should also consider implementing principle of least privilege access controls for GLPI plugin functionalities, limiting user permissions to only necessary task job operations. Additionally, regular security training for IT personnel should emphasize the importance of validating input data and recognizing potential XSS attack vectors in web-based management interfaces. Organizations should also establish incident response procedures specifically addressing potential exploitation of such vulnerabilities in asset management systems, ensuring rapid containment and remediation capabilities. The fix implemented in version 1.6.6 likely includes proper HTML escaping, input sanitization, and output encoding mechanisms that prevent malicious scripts from executing in user browsers, addressing the root cause identified in the CWE-79 weakness classification.