{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-26026/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-26026"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-26026","template-injection","rce","glpi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGLPI is a widely used open-source IT asset management software. A critical vulnerability, CVE-2026-26026, affects versions 11.0.0 to 11.0.5. This vulnerability stems from a template injection flaw that can be exploited by a logged-in administrator. Successful exploitation allows the administrator to achieve remote code execution (RCE) on the underlying server. The vulnerability was reported on April 6, 2026, and has been patched in version 11.0.6. Organizations using vulnerable versions of GLPI should upgrade immediately to prevent potential compromise. The high CVSS score (9.1) reflects the severity and potential impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to a vulnerable GLPI instance (versions 11.0.0 - 11.0.5).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a section of the GLPI interface that allows for template modification.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious template containing code injection payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified template within the GLPI system.\u003c/li\u003e\n\u003cli\u003eThe GLPI system processes the malicious template, executing the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code allows the attacker to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to gain persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26026 can lead to complete compromise of the GLPI server. This allows an attacker to gain unauthorized access to sensitive IT asset information, customer data, and potentially other systems on the network. The impact is significant, as it allows for data breaches, service disruption, and further lateral movement within the organization\u0026rsquo;s infrastructure. Given GLPI\u0026rsquo;s function in managing IT assets, this can result in widespread damage across the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade GLPI to version 11.0.6 or later to patch CVE-2026-26026.\u003c/li\u003e\n\u003cli\u003eReview and audit GLPI administrator accounts for any suspicious activity or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect GLPI Template Injection Attempts\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to template management endpoints containing suspicious code constructs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Detect GLPI Template Injection RCE\u0026rdquo; rule in your SIEM.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the GLPI server to only authorized personnel and systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T15:17:07Z","date_published":"2026-04-06T15:17:07Z","id":"/briefs/2026-04-glpi-rce/","summary":"GLPI versions 11.0.0 to before 11.0.6 are vulnerable to remote code execution (RCE) via template injection by an authenticated administrator, allowing for arbitrary code execution on the server.","title":"GLPI Template Injection RCE (CVE-2026-26026)","url":"https://feed.craftedsignal.io/briefs/2026-04-glpi-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-26026","version":"https://jsonfeed.org/version/1.1"}