GLPI 11.0.0 - Stored XSS in knowledge base
8.4
High
Detected by
Fluid Attacks AI SAST Scanner
Disclosed by
Oscar Uribe
Summary
Full name
GLPI 11.0.0 - Stored XSS in knowledge base
Code name
State
Public
Release date
Affected product
glpi
Vendor
glpi-project
Affected version(s)
< 11.0.7
Fixed version(s)
11.0.7
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS v4.0 base score
8.4
Exploit available
Yes
CVE ID(s)
Description
GLPI 11.0.6 contains a stored cross-site scripting (XSS) vulnerability in KnowbaseItemController::content(). The /Knowbase/KnowbaseItem/{id}/Content endpoint returns the contents of glpi_knowbaseitems.answer directly in the HTTP response via return new Response($kbitem->fields['answer']); without applying output sanitization.
An authenticated attacker with the ability to create or modify knowledge base articles can store malicious HTML or JavaScript in the answer field and cause arbitrary script execution in the browser of another authorized user who accesses the affected endpoint. In contrast, the /Knowbase/KnowbaseItem/{id}/Full rendering path processes the same content through KnowbaseItem::getAnswer() and RichText::getEnhancedHtml(...), which removes dangerous attributes such as onerror.
Vulnerability
Case A: functional UI store -> raw /Content response
Source persistence: create KB article from standard UI (front/knowbaseitem.form.php) with answer=
<img src=x onerror=alert('KB_A')>.Stored value remains raw in DB (glpi_knowbaseitems.answer).
Sink: GET /Knowbase/KnowbaseItem/{id}/Content returns exact payload as response body.
Impact: stored HTML/JS attributes are exposed unfiltered to any authorized viewer of the endpoint.
Case A2: benign HTML also returned raw
UI article created with answer=
<b>KB_A2</b>./Content response body is exactly
<b>KB_A2</b>.Confirms endpoint behavior is raw HTML passthrough, not escaped text.
Case B: direct DB insertion -> raw /Content response
Source persistence: insert KB row directly with answer=
<img src=x onerror=alert('KB_DB')>.Sink: /Knowbase/KnowbaseItem/{id}/Content returns exact payload.
Confirms exploitability does not depend on editor-side transformations.
Case B2: differential behavior with /Full
/Knowbase/KnowbaseItem/{id}/Full sanitizes same payload to safe output (
<img src="x" loading="lazy" />).This isolates the vulnerable behavior to the /Content route implementation.
Relevant code:
src/Glpi/Controller/Knowbase/KnowbaseItemController.php:70
src/KnowbaseItem.php:1999-2002
templates/components/itilobject/timeline/knowledge_item.html.twig:68-73
PoC
Log in as an authenticated user with KB write permissions.
Create a KB item with a payload in
answer:
Open:
Expected result:
Response body returns payload unchanged.
Evidence of Exploitation
Video of exploitation:
Vulnerable request:
XSS triggered:
Our security policy
We have reserved the ID CVE-2026-5385 to refer to this issue from now on.
System Information
GLPI
Version < 11.0.7
Operating System: Any
References
Github Repository: https://github.com/glpi-project
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-2fg5-jg72-h338
Patch: https://github.com/glpi-project/glpi/releases/tag/11.0.7
Mitigation
An updated version of GLPI is available at the vendor page.
Credits
The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team using the AI SAST Scanner.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Vendor confirmed
Vulnerability patched
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
