Vulnerability in Snipe-IT IT Asset Management System Allows Formula Injection Through User-Agent Header
CVE-2026-55452

4.8MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55452?

Snipe-IT, a widely used IT asset and license management system, contains a vulnerability that allows an authenticated user with low privileges to exploit the system. The vulnerability arises from the Actionlog::logaction() method which stores the User-Agent header without adequate filtering. Similarly, the ReportsController::postActivityReport() function fails to properly escape this data when generating Activity Report CSV files. As a result, a malicious actor can inject a formula-like User-Agent string that executes arbitrary code when the CSV is opened in spreadsheet software, potentially compromising the user's system. Users are strongly advised to upgrade to version 8.5.0 or later, where this issue has been resolved.

Affected Version(s)

snipe-it < 8.5.0

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.