CSS Injection Vulnerability in Snipe-IT Asset Management System
CVE-2026-55481

6.2MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55481?

Snipe-IT, an IT asset and license management system, is vulnerable to CSS injection due to inadequate HTML escaping in the default.blade.php file. This vulnerability allows a superadmin to inject arbitrary CSS that can alter the appearance and functionality of the interface for authenticated users on subsequent page loads, particularly when the Content Security Policy is disabled. This issue has been addressed in version 8.6.2, making it crucial for users to update to the latest version to safeguard against such injection attacks.

Affected Version(s)

snipe-it < 8.6.2

References

CVSS V4

Score:
6.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.