CVE-2026-53987 in GLPI 11
Summary
by MITRE • 07/09/2026
The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in GLPI Tag plugin version 11 prior to 2.14.4 represents a critical stored cross-site scripting flaw that exploits improper input validation and output encoding mechanisms within the application's Kanban interface. This security weakness resides in the PluginTagTag::preKanbanContent() method which processes tag names without implementing adequate HTML sanitization before rendering them into the Kanban badge markup, creating an environment where malicious HTML content can persistently execute within user browsers.
The technical implementation of this vulnerability stems from a failure to properly escape output when displaying user-supplied tag names in the Kanban view context. When an authenticated user with appropriate TAG MANAGEMENT permissions creates or modifies a tag containing HTML content, that content is stored verbatim in the database without sanitization. Subsequently, when any user accesses the Kanban view for tickets, problems, changes, or projects containing these malicious tags, the unescaped HTML executes within their browser context, potentially enabling attackers to perform actions such as cookie theft, session hijacking, or redirection to malicious sites.
This vulnerability directly maps to CWE-79: Improper Neutralization of Input During Web Page Generation into a Browser, which classifies the issue as a client-side cross-site scripting vulnerability occurring due to insufficient output escaping. The attack vector is particularly concerning within enterprise environments where GLPI serves as a ticketing and project management system, as it can be exploited by attackers who have gained legitimate access to create or modify tags through the application's permission model.
The operational impact of this vulnerability extends beyond simple script execution, as it allows for persistent malicious code delivery that can affect all users viewing affected Kanban views. The stored nature of this XSS means that once a malicious tag is created, it will continue to execute against any user who accesses the relevant views until the tag name is modified or the plugin is updated. This creates a persistent threat vector that can be leveraged for extended reconnaissance, credential harvesting, or further exploitation within the network.
Organizations should immediately implement mitigation strategies including applying the patched version 2.14.4 of the GLPI Tag plugin, which addresses the vulnerability through proper HTML sanitization and output escaping mechanisms. Additional protective measures include implementing strict input validation for tag names, limiting TAG MANAGEMENT permissions to only trusted users, and monitoring for suspicious tag creation activities. The vulnerability also aligns with ATT&CK technique T1566.001: Phishing via Social Media, as it could be exploited through social engineering to manipulate tag content for malicious purposes, though the core exploitation requires authenticated access to the system's tagging functionality.