PatchSiren cyber security CVE debrief
CVE-2026-55474 grokability CVE debrief
CVE-2026-55474 is a high-severity vulnerability in Snipe-IT, a popular IT asset/license management system. The vulnerability, patched in version 8.5.0, allows an authenticated attacker to read arbitrary files accessible to the web server process through directory traversal in the ActionlogController::displaySig method. This issue arises from the method's failure to properly sanitize the route filename parameter, enabling attackers to traverse outside the intended directory. Users of Snipe-IT prior to version 8.5.0 should update to prevent such directory traversal attacks.
- Vendor
- grokability
- Product
- snipe-it
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Snipe-IT prior to version 8.5.0 should update to prevent directory traversal attacks. This vulnerability affects Snipe-IT deployments where an authenticated attacker could potentially exploit this issue to read arbitrary files. Operators, administrators, and security teams responsible for Snipe-IT installations should prioritize updating to version 8.5.0 or later. Additionally, security teams should review compensating controls for exposed systems while remediation is scheduled and verified.
Technical summary
CVE-2026-55474 is a high-severity vulnerability in Snipe-IT, a popular IT asset/license management system. In versions prior to 8.5.0, the ActionlogController::displaySig method is vulnerable to directory traversal attacks. An authenticated attacker can exploit this vulnerability to read arbitrary files accessible to the web server process by manipulating the route filename parameter. The issue was fixed in Snipe-IT version 8.5.0. This vulnerability has a CVSS score of 7.1 and is considered high severity.
Defensive priority
High priority to update Snipe-IT to version 8.5.0 or later and restrict access to sensitive files and directories.
Recommended defensive actions
- Update Snipe-IT to version 8.5.0 or later
- Restrict access to sensitive files and directories
- Monitor for suspicious file access attempts
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
CVE-2026-55474 was patched in Snipe-IT 8.5.0. Directory traversal in ActionlogController::displaySig allows reading arbitrary files. The vulnerability exists in versions prior to 8.5.0, where an authenticated attacker can manipulate the route filename parameter to access files outside the intended directory. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability.
Official resources
-
CVE-2026-55474 CVE record
CVE.org
-
CVE-2026-55474 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:25.080Z and has not been modified since then.