Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN577
_____________________________________________________________________

DATE                : 02/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GLPI versions prior to 10.0.25,
                                        11.0.7.

=====================================================================
https://github.com/glpi-project/glpi/security/advisories/GHSA-w7mr-3vwm-2j22
https://github.com/glpi-project/glpi/security/advisories/GHSA-hwjc-8228-55x4
https://github.com/glpi-project/glpi/security/advisories/GHSA-rhmv-j773-4gvh
https://github.com/glpi-project/glpi/security/advisories/GHSA-2fg5-jg72-h338
https://github.com/glpi-project/glpi/security/advisories/GHSA-cg63-qchq-q626
https://github.com/glpi-project/glpi/security/advisories/GHSA-jf72-cvjh-px5w

_____________________________________________________________________

Arbitrary item deletion via planning
High
cedric-anne published GHSA-w7mr-3vwm-2j22 Jun 1, 2026

Package
glpi (glpi)

Affected versions
>= 9.5.0, < 11.0.0
>= 11.0.0

Patched versions
10.0.25
11.0.7


Description

Impact

A technician with access to planning can delete any object in GLPI.

Patches

Upgrade to 10.0.25 or 11.0.7.
Workarounds

Disable delete rights for User's planning.
For more information

If you have any questions or comments about this advisory, mail us at
glpi-security@ow2.org.


Severity
High
7.0/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-42318

Weaknesses
Weakness CWE-862

Credits

    @louissanchez-vokecyber louissanchez-vokecyber Reporter
_____________________________________________________________________

Stored XSS in asset locks
High
cedric-anne published GHSA-hwjc-8228-55x4 Jun 1, 2026

Package
glpi (glpi)

Affected versions
>= 10.0.4, < 11.0.0

Patched versions
10.0.25


Description

Impact

A technician can store an XSS payload in the asset locks.

Patches

Upgrade to 10.0.25.

For more information

If you have any questions or comments about this advisory, mail us
at glpi-security@ow2.org.

Severity
High
8.4/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-42321

Weaknesses
Weakness CWE-79
Weakness CWE-116

Credits

    @yavolo yavolo Finder

_____________________________________________________________________

Stored XSS in ITIL Costs
High
cedric-anne published GHSA-rhmv-j773-4gvh Jun 1, 2026

Package
glpi (glpi)

Affected versions
>= 11.0.0

Patched versions
11.0.7


Description

Impact

A technician can store an XSS payload in a ITIL costs.

Patches

Upgrade to 11.0.7.

For more information

If you have any questions or comments about this advisory, mail us at
glpi-security@ow2.org.


Severity
High
7.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity High
Attack Requirements None
Privileges Required High
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-40108

Weaknesses
Weakness CWE-79 
_____________________________________________________________________

Stored XSS in knowledge base
High
cedric-anne published GHSA-2fg5-jg72-h338 Jun 1, 2026

Package
glpi-project/glpi (glpi)

Affected versions
>= 11.0.0

Patched versions
11.0.7


Description

Impact

An unauthenticated user with write access to the knowledge base
can store an XSS payload in a knowledge base item.

Patches

Upgrade to 11.0.7.

For more information

If you have any questions or comments about this advisory, mail
us at glpi-security@ow2.org.


Severity
High
8.4/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-5385

Weaknesses
Weakness CWE-79

Credits

    @researchatfluidattacks researchatfluidattacks Reporter

_____________________________________________________________________

Unauthorized export of form structure
Moderate
trasher published GHSA-cg63-qchq-q626 May 18, 2026

Package
glpi (glpi)

Affected versions
>= 11.0.0

Patched versions
11.0.7


Description

Impact

An authenticated user with forms READ permission can export the
structure of unauthorized forms.


Patches

Upgrade to 11.0.7.

For more information

If you have any questions or comments about this advisory, mail
us at glpi-security@ow2.org.

Severity
Moderate
5.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2026-32312

Weaknesses
Weakness CWE-862

Credits

    @ccailly ccailly Reporter
    @yavolo yavolo Reporter

_____________________________________________________________________

Arbitrary files deletion by technician
High
cedric-anne published GHSA-jf72-cvjh-px5w Jun 1, 2026

Package
glpi (glpi)

Affected versions
>= 0.78, < 11.0.0
>= 11.0.0

Patched versions
10.0.25
11.0.7


Description
Impact

A technician can delete arbitrary files from the filesystem as long as
the webserver has write rights on them.


Patches

Upgrade to 10.0.25 or 11.0.7.

For more information

If you have any questions or comments about this advisory, mail us
at glpi-security@ow2.org.


Severity
High
7.0/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required High
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-42317

Weaknesses
No CWEs

Credits

    @HuajiHD HuajiHD Reporter
    @wooseokdotkim wooseokdotkim Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================