XHTML Injection Vulnerability in Snipe-IT by grokability
CVE-2026-55466

6.2MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55466?

The Snipe-IT IT asset and license management system was found to have a vulnerability that allows low-privilege users to upload active XHTML or XML content. This occurs because, prior to version 8.6.2, the platform sanitizes SVG content only when specifically identified as image/svg+xml. Consequently, UploadedFilesController can serve attachments inline without adequate security measures, thus enabling JavaScript execution in the browser of a viewer. The issue was addressed in version 8.6.2.

Affected Version(s)

snipe-it < 8.6.2

References

CVSS V4

Score:
6.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.