PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55474 grokability CVE debrief

CVE-2026-55474 is a high-severity vulnerability in Snipe-IT, a popular IT asset/license management system. The vulnerability, patched in version 8.5.0, allows an authenticated attacker to read arbitrary files accessible to the web server process through directory traversal in the ActionlogController::displaySig method. This issue arises from the method's failure to properly sanitize the route filename parameter, enabling attackers to traverse outside the intended directory. Users of Snipe-IT prior to version 8.5.0 should update to prevent such directory traversal attacks.

Vendor
grokability
Product
snipe-it
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Snipe-IT prior to version 8.5.0 should update to prevent directory traversal attacks. This vulnerability affects Snipe-IT deployments where an authenticated attacker could potentially exploit this issue to read arbitrary files. Operators, administrators, and security teams responsible for Snipe-IT installations should prioritize updating to version 8.5.0 or later. Additionally, security teams should review compensating controls for exposed systems while remediation is scheduled and verified.

Technical summary

CVE-2026-55474 is a high-severity vulnerability in Snipe-IT, a popular IT asset/license management system. In versions prior to 8.5.0, the ActionlogController::displaySig method is vulnerable to directory traversal attacks. An authenticated attacker can exploit this vulnerability to read arbitrary files accessible to the web server process by manipulating the route filename parameter. The issue was fixed in Snipe-IT version 8.5.0. This vulnerability has a CVSS score of 7.1 and is considered high severity.

Defensive priority

High priority to update Snipe-IT to version 8.5.0 or later and restrict access to sensitive files and directories.

Recommended defensive actions

  • Update Snipe-IT to version 8.5.0 or later
  • Restrict access to sensitive files and directories
  • Monitor for suspicious file access attempts
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

CVE-2026-55474 was patched in Snipe-IT 8.5.0. Directory traversal in ActionlogController::displaySig allows reading arbitrary files. The vulnerability exists in versions prior to 8.5.0, where an authenticated attacker can manipulate the route filename parameter to access files outside the intended directory. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:25.080Z and has not been modified since then.