On April 29, 2026, the GLPI project released versions 11.0.7 and 10.0.25. Together, these updates address 13 security vulnerabilities — four rated high severity, two medium, and seven low. If you run GLPI in production, updating should be an immediate priority.
Four high-severity vulnerabilities
The most critical fixes address stored XSS attacks and unauthorized data deletion:
- CVE-2026-5385 — Stored XSS in the knowledge base. An attacker can inject malicious scripts into knowledge base articles that execute when viewed by other users. Affects the 11.0 branch.
- CVE-2026-40108 — Stored XSS in ITIL Costs. A similar attack vector through cost fields in tickets and changes. Affects the 11.0 branch.
- CVE-2026-42318 — Arbitrary item deletion via planning. An authenticated user can delete arbitrary objects through the planning module. Affects both 10.0 and 11.0 branches.
- CVE-2026-42317 — Arbitrary file deletion by technicians. A technician-level user can delete files they should not have access to. Affects both 10.0 and 11.0 branches.
The combination of stored XSS and data deletion is particularly dangerous: an attacker can first steal an administrator's session cookie via XSS, then exploit the elevated privileges to delete critical files or objects.
Medium and low severity
Two medium-severity vulnerabilities:
- CVE-2026-32312 — unauthorized export of form structure (11.0 branch only).
- CVE-2026-42320 — arbitrary file access (both 10.0 and 11.0 branches).
Seven low-severity fixes focus primarily on webhooks and configuration: unauthorized configuration changes, IMAP connection probing, unauthorized reading of specific asset objects, webhook payload template manipulation, SSRF via webhook CRA validation, CRA signature bypass for webhooks, and unauthorized resending of queued webhooks.
Who is affected
If you run GLPI 11.0.0 through 11.0.6, you are vulnerable to all 13 issues. Users on the 10.0 branch (before 10.0.25) are affected by CVE-2026-42318, CVE-2026-42317, CVE-2026-42320, and a stored XSS in asset locks (CVE-2026-42321). The webhook vulnerabilities only affect the 11.0 branch, since webhooks were introduced in GLPI 11.
How to update
The procedure is the same as for the previous 11.0.6 update: back up the database and files, verify plugin compatibility, enable maintenance mode, replace files, and run php bin/console db:update. If you are updating from 11.0.6, the migration is fast — schema changes are minimal.
Download archives:
- GLPI 11.0.7 — GitHub release
glpi-project/glpi, tag11.0.7 - GLPI 10.0.25 — GitHub release
glpi-project/glpi, tag10.0.25
Why you should not delay
Three security updates have been released in the past three months (11.0.5, 11.0.6, 11.0.7). This cadence indicates active security research targeting GLPI — published CVEs lower the barrier for potential attackers. Every day without the update is a day your instance is exposed to known, documented vulnerabilities.
If you are still on the 10.0 branch, update to at least 10.0.25. Support for the 10.0 branch is nearing end of life, and future fixes will be available exclusively for 11.0.