CVE-2026-42321 in glpi
Summary
by MITRE • 06/03/2026
GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability identified in GLPI versions between 10.0.4 and 10.0.24 represents a cross-site scripting flaw that specifically affects the asset locked tab functionality within the IT asset management system. This security weakness stems from inadequate input validation and output encoding mechanisms when processing user-supplied data within the asset management interface. The vulnerability allows a malicious technician with access to the system to inject malicious scripts into the asset locked tab, which can then be executed in the context of other users who view the affected asset information.
The technical exploitation of this vulnerability occurs through the manipulation of input fields within the asset locked tab where technicians can store information about locked assets. When a technician enters malicious payload data into these fields, the application fails to properly sanitize or encode the input before rendering it in the user interface. This creates an environment where JavaScript code can be injected and subsequently executed when other users browse the asset information, particularly when they access the locked tab section. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in web applications, where improper validation of user-supplied input leads to execution of malicious scripts in the victim's browser context.
The operational impact of this vulnerability extends beyond simple data corruption or display issues, as it can enable attackers to perform session hijacking, steal sensitive information, or redirect users to malicious websites. An attacker with technician privileges could potentially escalate their access by crafting payloads that exploit the XSS vulnerability to access other users' sessions or extract confidential information from the GLPI system. The attack vector is particularly concerning given that GLPI is designed for IT asset management, where technicians often have elevated privileges and access to sensitive organizational data. This vulnerability directly impacts the integrity and confidentiality of the asset management system, potentially allowing unauthorized access to critical IT infrastructure information.
The recommended mitigation strategy involves upgrading to GLPI version 10.0.25 or 11.0.7, which contain the necessary patches to address the XSS vulnerability. These updates implement proper input validation and output encoding mechanisms that prevent malicious payloads from being stored and executed within the asset locked tab functionality. Organizations should also consider implementing additional security measures such as content security policies, regular security assessments of web applications, and user access controls to minimize potential exploitation risks. The vulnerability demonstrates the importance of maintaining current software versions and implementing proper input sanitization practices as outlined in the OWASP Top Ten security framework, particularly focusing on prevention of cross-site scripting attacks through proper validation and encoding of user-supplied data.