PatchSiren cyber security CVE debrief
CVE-2026-53987 Tag plugin CVE debrief
The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to. This vulnerability has a high impact on the security of GLPI 11 installations with the Tag plugin.
- Vendor
- Tag plugin
- Product
- GLPI 11
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of GLPI 11 with the Tag plugin installed, particularly those with TAG MANAGEMENT create or update rights, should be aware of this vulnerability and take steps to mitigate it. Additionally, administrators and security teams responsible for GLPI 11 installations should review the vulnerability and implement necessary security measures to protect against potential attacks.
Technical summary
The vulnerability exists in the Tag plugin for GLPI 11 before version 2.14.4. The plugin fails to properly sanitize user-input tag names, allowing an authenticated user with TAG MANAGEMENT rights to inject malicious HTML code. This code is then executed in the browser of any user viewing the Kanban for a ticket, problem, change, or project associated with the malicious tag. The vulnerability is due to a lack of output escaping in the PluginTagTag::preKanbanContent() function.
Defensive priority
High
Recommended defensive actions
- Update the Tag plugin to version 2.14.4 or later
- Restrict TAG MANAGEMENT create and update rights to trusted users
- Implement additional security measures, such as input validation and output encoding, for user-supplied tag names
- Monitor for suspicious activity, particularly in the Kanban views of tickets, problems, changes, and projects
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-09T17:17:01.277Z and has not been modified since then. The NVD entry is currently in the 'Received' status. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry. Users should verify the information with the vendor or other sources for further details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T17:17:01.277Z and has not been modified since then. The NVD entry is currently Received.