GHSA-qc6r-wrm6-23pm · Severity: high — The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and...
The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.
Conclusion & alert: CVE-2026-53987 is rated Low Risk (38.4/100): CVSS High severity, with low exploitation likelihood (EPSS 0.34%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-10 | — | 0.34% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.3 | 4.0 | HIGH |
|
— | — | [email protected] |
| 6.4 | 3.1 | MEDIUM |
|
0.5 | 5.9 | [email protected] |
GHSA-qc6r-wrm6-23pm · Severity: high — The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||