CVE-2026-5385
Description
GLPI versions before 11.0.7 are vulnerable to stored XSS in the knowledge base, allowing unauthenticated users with write access to inject malicious scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GLPI versions before 11.0.7 are vulnerable to stored XSS in the knowledge base, allowing unauthenticated users with write access to inject malicious scripts.
Vulnerability
GLPI versions prior to 11.0.7 contain a stored cross-site scripting (XSS) vulnerability within the knowledge base functionality. This vulnerability exists in the KnowbaseItemController::content() method, where the answer field of a knowledge base item is returned directly without proper output sanitization when accessed via the /Knowbase/KnowbaseItem/{id}/Content endpoint [3].
Exploitation
An attacker with write access to the knowledge base can create or modify a knowledge base item and inject an XSS payload into the answer field. When an authorized user accesses the affected endpoint to view the knowledge base item's content, the stored payload will be executed in their browser [3]. The vulnerability does not require specific privileges beyond the ability to write to the knowledge base [2, 3].
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary scripts in the context of the victim user's browser. This can lead to various malicious actions, such as session hijacking, information disclosure, or further manipulation of the application, depending on the privileges of the user viewing the compromised knowledge base item [3].
Mitigation
This vulnerability was fixed in GLPI version 11.0.7, released on 2026-06-02 [4]. Users are strongly recommended to upgrade to this version or a later one to address the security issue. No workarounds are specified in the available references.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <11.0.7
Patches
10ea900cb51a3Bump version
1 file changed · +1 −1
src/autoload/constants.php+1 −1 modified@@ -40,7 +40,7 @@ define('GLPI_ROOT', dirname(__DIR__, 2)); // Current version of GLPI -define('GLPI_VERSION', '11.0.7-dev'); +define('GLPI_VERSION', '11.0.7'); $schema_file = sprintf('%s/install/mysql/glpi-empty.sql', GLPI_ROOT); define(
Vulnerability mechanics
Root cause
"The knowledge base item answer field does not properly sanitize HTML or JavaScript, allowing for stored cross-site scripting."
Attack vector
An unauthenticated user with write access to the knowledge base can create or modify a knowledge base item. They can then store a malicious HTML or JavaScript payload within the answer field of this item. When another authorized user accesses the affected endpoint, the stored payload is executed in their browser, leading to arbitrary script execution [ref_id=1]. This vulnerability is specifically triggered by the `/Knowbase/KnowbaseItem/{id}/Content` rendering path, which does not sanitize the input [ref_id=1].
Affected code
The vulnerability lies in the handling of the answer field for knowledge base items. Specifically, the `/Knowbase/KnowbaseItem/{id}/Content` endpoint processes this content without adequate sanitization. The advisory points to `src/Glpi/Controller/Knowbase/KnowbaseItemController.php:70`, `src/KnowbaseItem.php:1999-2002`, and `templates/components/itilobject/timeline/knowledge_item.html.twig:68-73` as relevant code paths [ref_id=1].
What the fix does
The patch updates the GLPI version from '11.0.7-dev' to '11.0.7' [patch_id=4524226]. While the provided patch only increments the version number, the advisory indicates that an updated version of GLPI is available as a mitigation [ref_id=1]. This suggests that the fix involves sanitizing the input in the answer field of knowledge base items to prevent the execution of malicious scripts.
Preconditions
- authUser must have write access to the knowledge base.
- inputThe payload must be stored in the answer field of a knowledge base item.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.