PatchSiren cyber security CVE debrief
CVE-2026-55466 grokability CVE debrief
CVE-2026-55466 is a vulnerability in Snipe-IT, an IT asset/license management system. Prior to version 8.6.2, the UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml. The UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or XML content that is later served same-origin and executes JavaScript in a viewer's browser. This issue is fixed in version 8.6.2. The vulnerability has a CVSS score of 6.2 and is classified as Medium severity.
- Vendor
- grokability
- Product
- snipe-it
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Snipe-IT versions prior to 8.6.2 should be aware of this vulnerability and take steps to mitigate it. This includes administrators, security teams, and IT personnel responsible for maintaining and securing Snipe-IT installations.
Technical summary
The vulnerability exists in the UploadFileRequest and UploadedFilesController components of Snipe-IT. Specifically, the UploadFileRequest only sanitizes SVG content when PHP finfo reports it as image/svg+xml. Additionally, the UploadedFilesController serves attachments inline without properly validating their content using StorageHelper::allowSafeInline(). This allows a low-privilege user to upload malicious XHTML or XML content that can execute JavaScript in the browser of a user who views the content.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to Snipe-IT version 8.6.2 or later
- Restrict upload privileges to trusted users
- Implement additional validation and sanitization for uploaded content
- Monitor for suspicious activity and implement compensating controls
- Review and update incident response plans to address potential exploitation
- Conduct regular security audits and vulnerability assessments
- Implement a Web Application Firewall (WAF) to detect and prevent attacks
Evidence notes
The CVE record was published on 2026-07-10T20:16:46.970Z and has not been modified since then. The NVD entry is currently 6.2, Medium. References include commits and releases from the Snipe-IT GitHub repository. The vulnerability was reported by a security researcher who found that the UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml, and the UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline().
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:46.970Z and has not been modified since then.