PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55466 grokability CVE debrief

CVE-2026-55466 is a vulnerability in Snipe-IT, an IT asset/license management system. Prior to version 8.6.2, the UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml. The UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or XML content that is later served same-origin and executes JavaScript in a viewer's browser. This issue is fixed in version 8.6.2. The vulnerability has a CVSS score of 6.2 and is classified as Medium severity.

Vendor
grokability
Product
snipe-it
CVSS
MEDIUM 6.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Snipe-IT versions prior to 8.6.2 should be aware of this vulnerability and take steps to mitigate it. This includes administrators, security teams, and IT personnel responsible for maintaining and securing Snipe-IT installations.

Technical summary

The vulnerability exists in the UploadFileRequest and UploadedFilesController components of Snipe-IT. Specifically, the UploadFileRequest only sanitizes SVG content when PHP finfo reports it as image/svg+xml. Additionally, the UploadedFilesController serves attachments inline without properly validating their content using StorageHelper::allowSafeInline(). This allows a low-privilege user to upload malicious XHTML or XML content that can execute JavaScript in the browser of a user who views the content.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to Snipe-IT version 8.6.2 or later
  • Restrict upload privileges to trusted users
  • Implement additional validation and sanitization for uploaded content
  • Monitor for suspicious activity and implement compensating controls
  • Review and update incident response plans to address potential exploitation
  • Conduct regular security audits and vulnerability assessments
  • Implement a Web Application Firewall (WAF) to detect and prevent attacks

Evidence notes

The CVE record was published on 2026-07-10T20:16:46.970Z and has not been modified since then. The NVD entry is currently 6.2, Medium. References include commits and releases from the Snipe-IT GitHub repository. The vulnerability was reported by a security researcher who found that the UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml, and the UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline().

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:46.970Z and has not been modified since then.