These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-55515 is a vulnerability in Snipe-IT, an IT asset/license management system. The unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending()->find($acceptanceId) by global ID without checking access to the related checkoutable asset. This allows a reports user in one company to delete pending checkout acceptance records for another company. The [truncated]
CVE-2026-55481 is an issue in Snipe-IT, an IT asset/license management system, where the default.blade.php file does not properly escape HTML in header_color and related branding color settings within a CSS style block. This insufficient escaping allows a superadmin to inject arbitrary CSS, which affects authenticated users on subsequent page loads when Content Security Policy (CSP) is disabled. The issue [truncated]
CVE-2026-55479 is a MEDIUM severity vulnerability in Snipe-IT prior to 8.6.2. The legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission. This allows a user who can assign licenses but not unassign them to directly access the old checkin endpoint and reclaim a license seat assigned to another user or asset. The issue is fixed in version [truncated]
CVE-2026-55475 is a MEDIUM severity vulnerability in Snipe-IT's Importer API endpoint. Prior to version 8.6.1, a user with CSV import capabilities and a valid API key could overwrite the created_by value of an import file. This allowed unauthorized modification of import ownership metadata. The issue is fixed in version 8.6.1. Users of Snipe-IT asset/license management system should be aware of this vulne [truncated]
CVE-2026-55469 is a path traversal vulnerability in the Snipe-IT asset/license management system. An authenticated user with import and assets.update permissions can exploit this vulnerability by placing a path traversal string in an asset image field through CSV import and then triggering image deletion. This allows for the deletion of arbitrary files accessible to the server process. The issue was fixed [truncated]
CVE-2026-55466 is a vulnerability in Snipe-IT, an IT asset/license management system. Prior to version 8.6.2, the UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml. The UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or XML content that is later served same-origin and exec [truncated]
CVE-2026-55462 is a medium-severity vulnerability in Snipe-IT, an IT asset/license management system. Prior to version 8.6.2, an authenticated user with only 'users.view' permission can access inventory and cost/order metadata from modules that would otherwise be restricted. This issue is fixed in version 8.6.2. Affected product deployments should be identified and owners assigned for follow-up. Compensat [truncated]
CVE-2026-55461 is an open redirect vulnerability in Snipe-IT, a popular IT asset/license management system. The vulnerability allows an attacker to redirect a Snipe-IT user to a malicious website after a legitimate user edit action. This is possible because the user edit flow stores the URL from the attacker-controlled Referer header into Laravel's intended URL session value and later uses redirect()->int [truncated]
CVE-2026-55452 is a medium-severity vulnerability in Snipe-IT, an IT asset/license management system. Prior to version 8.5.0, a low-privileged authenticated user could store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. The vulnerability arises from the Actionlog::logaction() function storing the request User-Agent header and ReportsControl [truncated]
CVE-2026-55843 is a high-severity vulnerability in Snipe-IT, an IT asset/license management system. The vulnerability allows an administrator to remove a target user's administrative or granular permissions. This issue is fixed in version 8.6.0. The vulnerability is caused by the UsersController::update() method passing a missing permission request field through NormalizePermissionsPayloadAction and Prese [truncated]
CVE-2026-55478 is a vulnerability in Snipe-IT, an IT asset/license management system. Prior to version 8.6.2, the system did not properly authorize access to a referenced license object when a low-privilege user with predefined-kit permissions attempted to bind a license they should not be able to access or manage into a kit. This issue has been fixed in version 8.6.2. The vulnerability allows low-privile [truncated]
CVE-2026-55476 is a medium-severity vulnerability in Snipe-IT versions prior to 8.6.0. An authenticated user can exploit this issue to silently cancel pending asset requests of other users by supplying a victim user ID in the POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} endpoint. The vulnerability is addressed in Snipe-IT version 8.6.0. This issue highlights the importanc [truncated]
CVE-2026-55474 is a high-severity vulnerability in Snipe-IT, a popular IT asset/license management system. The vulnerability, patched in version 8.5.0, allows an authenticated attacker to read arbitrary files accessible to the web server process through directory traversal in the ActionlogController::displaySig method. This issue arises from the method's failure to properly sanitize the route filename par [truncated]
CVE-2026-55464 is a medium-severity vulnerability in Snipe-IT, an IT asset/license management system. An authenticated user with assets.edit permission can inject malicious JavaScript via a Markdown hyperlink in a custom field, which executes when another user views the asset details and clicks the link. The issue is fixed in version 8.6.2. This vulnerability allows for cross-site scripting (XSS) attacks, [truncated]
CVE-2026-55460 is a high-severity vulnerability in Snipe-IT, an IT asset/license management system. An authenticated non-admin user with users.view and users.edit but without users.delete permissions can soft-delete another non-admin user by directly posting to /users/bulksave with delete_user=1. This is possible because the BulkUsersController::destroy() method only authorizes updates, not deletions. The [truncated]
CVE-2026-54329 is a high-severity vulnerability in Snipe-IT's Accessories API. Prior to version 8.6.2, the API's create path mass-assigns request parameters to the Accessory model, allowing a low-privileged authenticated user in one company to create accessory records under another company when Full Multiple Companies Support is enabled. This issue is fixed in version 8.6.2. The vulnerability exists due t [truncated]
CVE-2026-48492 is a medium-severity vulnerability in Snipe-IT's API endpoint, which lacks an authorization check. This allows any logged-in user to retrieve a paginated list of all user accounts, exposing sensitive information such as usernames, display names, employee numbers, and user IDs. The exposure affects active accounts, and its impact varies depending on whether FMCS is enabled. To mitigate this [truncated]
CVE-2026-55542 involves Snipe-IT, an IT asset/license management system. Prior to version 8.6.1, Snipe-IT's S3 signature image retrieval process lacks proper authorization before generating a temporary URL. This issue affects S3-backed deployments. Authenticated users who are aware of a signature filename can obtain a 5-minute signed S3 URL. This occurs because the S3 branch returns before the authorize() [truncated]
CVE-2026-48493 is a medium-severity vulnerability in Snipe-IT versions prior to 8.6.0. The issue allows a user with only 'users.edit' permission to send a PATCH request to /api/v1/users/{their_own_id} and grant themselves any permission except 'admin' and 'superuser'. This could potentially lead to unauthorized access or actions within the system. The vulnerability is patched in version 8.6.0. Users of Sn [truncated]
An open redirect vulnerability in Snipe-IT IT asset/license management system allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. The vulnerability exists in versions prior to 8.4.1 and was fixed in version 8.4.1. The CVSS 3.1 vector indicates attack vector is adjacent network, low attack complexity, low privileges required, user interactio [truncated]
An authenticated privilege escalation vulnerability in Snipe-IT allows users with only users.edit permission to grant themselves full administrative access. The API endpoint /api/v1/users/{id} fails to properly validate permission modifications, stripping only the superuser key while permitting admin and other elevated permissions to be set. This represents an authorization bypass where insufficient serve [truncated]
A stored cross-site scripting (XSS) vulnerability exists in Snipe-IT, an open-source IT asset and license management platform. The flaw affects versions prior to 8.4.1 and resides in the unescaped rendering of the notes column within the components module. Users with component view access can trigger or be affected by this vulnerability when malicious scripts are embedded in notes fields and subsequently [truncated]