Unrated severityOSV Advisory· Published Dec 16, 2025· Updated Dec 16, 2025

GLPI Vulnerable to Unauthenticated Stored XSS on the Inventory page

CVE-2025-59935

Description

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.

Affected products

Glpi Project/GlpiOSV
Range: 10.0.0, 10.0.1, 10.0.10, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jxmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000