{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26026", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T21:36:29.555Z", "datePublished": "2026-04-06T14:33:05.188Z", "dateUpdated": "2026-04-07T03:55:39.862Z"}, "containers": {"cna": {"title": "GLPI has a Server-Side Template Injection via Double-Compilation", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 11.0.0, < 11.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:33:05.188Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6."}], "source": {"advisory": "GHSA-2c98-648q-h27h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26026"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:55:39.862Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:31:12.427541Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:31:16.083Z"}}], "cna": {"title": "GLPI has a Server-Side Template Injection via Double-Compilation", "source": {"advisory": "GHSA-2c98-648q-h27h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 11.0.0, < 11.0.6"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:33:05.188Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26026", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:41:16.695Z", "dateReserved": "2026-02-09T21:36:29.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T14:33:05.188Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6."}], "id": "CVE-2026-26026", "lastModified": "2026-04-06T15:17:07.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T15:17:07.093", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,11.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glpi", "source": "cna", "vendor": "glpi-project"}, "product": "glpi", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-04-06T17:23:25.848790+00:00", "value": {"mitigation_remediation": ["Upgrade GLPI to version 11.0.6 or later, which removes the double\u2011compilation injection flaw."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the GLPI open\u2011source asset and IT management application. Any installation of glpi\u2011project glpi in the version range 11.0.0 to (but not including) 11.0.6 is susceptible to exploitation.", "description_and_impact": "A server\u2011side template injection flaw exists in GLPI versions 11.0.0 through 11.0.5. The bug allows an administrator to inject arbitrary template code that is executed on the server during double\u2011compilation, resulting in full remote code execution. This falls under the weaknesses identified by CWE\u20111336 and CWE\u201194 and can compromise the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS base score is 9.1, indicating a high severity risk. No EPSS score is presently available, and the issue is not listed in the CISA KEV catalog. Exfiltration requires administrative privileges to modify templates, which an attacker can use to exploit the injection vector and gain arbitrary code execution. The lack of publicly disclosed exploits does not reduce the actionable risk, given the high score and the ease of exploitation for a privileged user."}}}}, "created": "2026-04-06T20:14:28.642015+00:00", "updated": "2026-04-06T21:32:43.110369+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}