XHTML Injection Vulnerability in Snipe-IT by grokability
CVE-2026-55466
6.2MEDIUM
What is CVE-2026-55466?
The Snipe-IT IT asset and license management system was found to have a vulnerability that allows low-privilege users to upload active XHTML or XML content. This occurs because, prior to version 8.6.2, the platform sanitizes SVG content only when specifically identified as image/svg+xml. Consequently, UploadedFilesController can serve attachments inline without adequate security measures, thus enabling JavaScript execution in the browser of a viewer. The issue was addressed in version 8.6.2.
Affected Version(s)
snipe-it < 8.6.2
