CVE-2026-5385

EUVD-2026-34006
An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item.


This issue affects glpi: before 11.0.7.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
Fluid AttacksCNA
8.4 HIGH
NETWORK
LOW
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
glpi-projectglpi
𝑥
< 11.0.7
CNA
Common Weakness Enumeration
References
https://fluidattacks.com/es/advisories/bizkit
https://github.com/glpi-project/glpi
https://github.com/glpi-project/glpi/releases/tag/11.0.7
https://github.com/glpi-project/glpi/security/advisories/GHSA-2fg5-jg72-h338