CVE-2026-25590 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the GLPI Inventory Plugin, a component of the GLPI project used for network discovery, inventory management, software deployment, and data collection from GLPI agents. The vulnerability exists in versions prior to 1.6.6 and is categorized under CWE-79, which involves improper neutralization of input during web page generation. Specifically, the flaw occurs in the handling of task jobs where user-supplied input is not properly sanitized or encoded before being reflected in the web interface, enabling attackers to inject malicious JavaScript code. The CVSS v3.1 base score is 4.5, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but demands high privileges (PR:H) and user interaction (UI:R). The vulnerability affects confidentiality (C:H) but does not impact integrity or availability. Exploitation requires an authenticated user with sufficient privileges to trigger the reflected XSS, which could lead to session hijacking, credential theft, or other client-side attacks. The vulnerability was reserved in early February 2026 and published in March 2026, with no known exploits in the wild reported to date. The issue is resolved in GLPI Inventory Plugin version 1.6.6, and users are advised to upgrade promptly to mitigate risk.

The primary impact of CVE-2026-25590 is on the confidentiality of data within organizations using the GLPI Inventory Plugin versions prior to 1.6.6. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated user's browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. Since the vulnerability requires authenticated access with high privileges and user interaction, the attack surface is limited to insiders or attackers who have compromised credentials. However, in environments where GLPI is used for critical IT asset management and network inventory, such an attack could facilitate further lateral movement or data exfiltration. The reflected XSS does not affect system integrity or availability directly but can be a stepping stone for more complex attacks. Organizations worldwide relying on GLPI for IT management could face targeted attacks aiming to compromise administrative sessions or extract confidential inventory data, impacting operational security and compliance.

To mitigate CVE-2026-25590, organizations should immediately upgrade the GLPI Inventory Plugin to version 1.6.6 or later, where the vulnerability is patched. In addition to patching, administrators should enforce the principle of least privilege by restricting access to the GLPI interface and limiting high-privilege accounts to trusted personnel only. Implementing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting the execution of unauthorized scripts. Regularly auditing user accounts and monitoring for suspicious activities can detect potential exploitation attempts. Web application firewalls (WAFs) configured to detect and block reflected XSS payloads may provide an additional layer of defense. Finally, educating users about the risks of clicking on untrusted links or interacting with suspicious content within the GLPI environment can reduce the likelihood of successful exploitation.