{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25590", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-03T01:02:46.716Z", "datePublished": "2026-03-03T22:14:01.596Z", "dateUpdated": "2026-03-04T16:52:27.907Z"}, "containers": {"cna": {"title": "GLPI Inventory Plugin has Reflected XSS in task jobs", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-54x7-6fhx-3wmw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-54x7-6fhx-3wmw"}], "affected": [{"vendor": "glpi-project", "product": "glpi-inventory-plugin", "versions": [{"version": "< 1.6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:14:01.596Z"}, "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6."}], "source": {"advisory": "GHSA-54x7-6fhx-3wmw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:52:19.402522Z", "id": "CVE-2026-25590", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:52:27.907Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25590", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T16:52:19.402522Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:52:24.703Z"}}], "cna": {"title": "GLPI Inventory Plugin has Reflected XSS in task jobs", "source": {"advisory": "GHSA-54x7-6fhx-3wmw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi-inventory-plugin", "versions": [{"status": "affected", "version": "< 1.6.6"}]}], "references": [{"url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-54x7-6fhx-3wmw", "name": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-54x7-6fhx-3wmw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:14:01.596Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25590", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:52:27.907Z", "dateReserved": "2026-02-03T01:02:46.716Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-03T22:14:01.596Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi_inventory:*:*:*:*:*:*:*:*", "matchCriteriaId": "98C6C195-DCBB-4921-BDFF-CAD1971700EA", "versionEndExcluding": "1.6.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GLPI Inventory Plugin handles network discovery, inventory, software deployment, and data collection for GLPI agents. Prior to 1.6.6, there is a reflected XSS vulnerability in task jobs. This vulnerability is fixed in 1.6.6."}], "id": "CVE-2026-25590", "lastModified": "2026-03-05T21:23:06.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-03T23:15:53.800", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-54x7-6fhx-3wmw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.6)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "glpi-inventory-plugin", "source": "cna", "vendor": "glpi-project"}, "product": "glpi_inventory", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-04-16T13:53:00.668969+00:00", "value": {"mitigation_remediation": ["Upgrade the GLPI Inventory Plugin to version 1.6.6 or later.", "If an immediate upgrade is not feasible, restrict access to the task jobs page to trusted users or disable the feature until a patch is available.", "Deploy Web Application Firewall rules to block payloads containing script tags or encoded JavaScript in task job inputs."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting (CWE\u201179)"}, "threat_synthesis": {"affected_systems": "The flaw affects all releases of the GLPI Inventory Plugin older than 1.6.6. Versions 1.6.6 and newer contain the fix. The affected product is the glpi-project glpi-inventory-plugin, and the issue is documented by the GLPI project and disclosed on GitHub.", "description_and_impact": "The GLPI Inventory Plugin manages network discovery, inventory, software deployment and data collection for GLPI agents. It contains a reflected XSS flaw in the task jobs page that exists before version 1.6.6. An attacker can inject malicious scripts into the URL or form fields associated with task jobs, causing the browser of anyone who views the page to execute arbitrary JavaScript. This vulnerability is cataloged as CWE\u201179 and, while it does not grant direct code execution on the server, it can facilitate phishing, cookie theft or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 4.5 indicates moderate impact, and the EPSS score of less than 1% shows low exploitation probability as of the current data. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted URL or form input that a victim visits or submits, which allows an attacker to inject JavaScript into the task jobs page. The flaw requires a victim to open the page; no privileged access is necessary, so it can be exploited via social engineering or phishing campaigns."}}}}, "created": "2026-03-04T14:53:38.026172+00:00", "updated": "2026-04-16T14:00:19.465827+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi_inventory"]}