{"id":"CVE-2026-25932","summary":"GLPI has Stored XSS in Supplier 'Website' field","details":"GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.","aliases":["GHSA-m627-945g-x7xh"],"modified":"2026-07-08T07:32:27.097322375Z","published":"2026-04-06T14:31:02.319Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25932.json","cwe_ids":["CWE-116","CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25932.json"},{"type":"ADVISORY","url":"https://github.com/glpi-project/glpi/security/advisories/GHSA-m627-945g-x7xh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25932"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/glpi-project/glpi","events":[{"introduced":"b7d568424cbb73367a167b3bfb1512086053e635"},{"fixed":"c4fffb422074785be9ff6125053b8d7398142d45"}],"database_specific":{"cpe":"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*","source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0.60"},{"fixed":"10.0.24"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25932.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}