CVE-2026-53987: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pluginsGLPI GLPI 11
CVE-2026-53987 is a stored cross-site scripting (XSS) vulnerability in the Tag plugin for GLPI 11. The plugin versions before 2.14.4 store tag names without HTML sanitization and render them without output escaping in the Kanban badge markup. An authenticated user with tag management create or update permissions can inject malicious HTML into tag names, which executes in the browsers of users viewing the Kanban view of tickets, problems, changes, or projects associated with those tags.
AI Analysis
Technical Summary
The Tag plugin for GLPI 11 prior to version 2.14.4 suffers from a stored cross-site scripting vulnerability due to improper neutralization of input during web page generation. Specifically, the tag name is stored without HTML sanitization and rendered via PluginTagTag::preKanbanContent() without output escaping. This allows an authenticated user with TAG MANAGEMENT create or update rights to inject HTML code into tag names. When other users open the Kanban view of any ticket, problem, change, or project tagged with the malicious tag, the injected code executes in their browsers, leading to a stored XSS condition.
Potential Impact
Successful exploitation allows an authenticated user with tag management privileges to execute arbitrary HTML or script code in the browsers of other users who view the Kanban interface. This can lead to session hijacking, unauthorized actions, or other malicious activities within the context of the affected GLPI instance. The vulnerability requires authenticated access with specific privileges and user interaction to view the affected Kanban views.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict TAG MANAGEMENT create or update rights to trusted users only. Monitor vendor channels for updates or patches addressing this vulnerability.
CVE-2026-53987: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pluginsGLPI GLPI 11
Description
CVE-2026-53987 is a stored cross-site scripting (XSS) vulnerability in the Tag plugin for GLPI 11. The plugin versions before 2.14.4 store tag names without HTML sanitization and render them without output escaping in the Kanban badge markup. An authenticated user with tag management create or update permissions can inject malicious HTML into tag names, which executes in the browsers of users viewing the Kanban view of tickets, problems, changes, or projects associated with those tags.
CVSS v4.0
Score 7.3high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Tag plugin for GLPI 11 prior to version 2.14.4 suffers from a stored cross-site scripting vulnerability due to improper neutralization of input during web page generation. Specifically, the tag name is stored without HTML sanitization and rendered via PluginTagTag::preKanbanContent() without output escaping. This allows an authenticated user with TAG MANAGEMENT create or update rights to inject HTML code into tag names. When other users open the Kanban view of any ticket, problem, change, or project tagged with the malicious tag, the injected code executes in their browsers, leading to a stored XSS condition.
Potential Impact
Successful exploitation allows an authenticated user with tag management privileges to execute arbitrary HTML or script code in the browsers of other users who view the Kanban interface. This can lead to session hijacking, unauthorized actions, or other malicious activities within the context of the affected GLPI instance. The vulnerability requires authenticated access with specific privileges and user interaction to view the affected Kanban views.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict TAG MANAGEMENT create or update rights to trusted users only. Monitor vendor channels for updates or patches addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-11T16:07:13.001Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4fcd4d68715ace43b4cb58
Added to database: 07/09/2026, 16:33:17 UTC
Last enriched: 07/09/2026, 16:47:36 UTC
Last updated: 07/09/2026, 16:51:02 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.