Vulnerability in Snipe-IT IT Asset Management System Allows Formula Injection Through User-Agent Header
CVE-2026-55452
4.8MEDIUM
What is CVE-2026-55452?
Snipe-IT, a widely used IT asset and license management system, contains a vulnerability that allows an authenticated user with low privileges to exploit the system. The vulnerability arises from the Actionlog::logaction() method which stores the User-Agent header without adequate filtering. Similarly, the ReportsController::postActivityReport() function fails to properly escape this data when generating Activity Report CSV files. As a result, a malicious actor can inject a formula-like User-Agent string that executes arbitrary code when the CSV is opened in spreadsheet software, potentially compromising the user's system. Users are strongly advised to upgrade to version 8.5.0 or later, where this issue has been resolved.
Affected Version(s)
snipe-it < 8.5.0
