Back to overview

CVE-2026-53987

MEDIUM
6.4
CVSS 3.1
Description
The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.

Metadata

CVE ID
CVE-2026-53987
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-11 16:07 UTC
Published
2026-07-09 15:44 UTC
Last updated
2026-07-09 17:49 UTC
Primary CWE
CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product
pluginsGLPI / GLPI 11
Sources
cve.org  ·  NVD

Severity & Metrics

6.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
pluginsGLPI GLPI 11 2.6.0 < 2.14.4
Weakness (CWE)
CWESourceDescription
CWE-79 cna Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.3 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
6.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Back to overview