Directory Traversal Vulnerability in Snipe-IT IT Asset Management System
CVE-2026-55474

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55474?

Snipe-IT, an IT asset and license management system, contains a vulnerability due to improper sanitization of the route filename parameter in the ActionlogController::displaySig function. This flaw allows authenticated attackers to traverse outside the designated upload directory, potentially accessing sensitive files on the web server. This issue has been addressed in version 8.5.0, highlighting the importance of keeping software updated to mitigate such vulnerabilities.

Affected Version(s)

snipe-it < 8.5.0

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.