Skip to main content

Snipe-IT CVE-2026-55452

| EUVDEUVD-2026-42997 MEDIUM
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-07-10 security-advisories@github.com
4.8
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible stored payload requires low-privilege auth (PR:L), mandatory victim interaction to open the CSV (UI:R), and scope change since execution occurs on the viewer's workstation (S:C/C:L/I:L).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:39 vuln.today

DescriptionCVE.org

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. This issue is fixed in version 8.5.0.

AnalysisAI

CSV formula injection in Snipe-IT prior to version 8.5.0 enables a low-privileged authenticated user to store a malicious spreadsheet formula via the HTTP User-Agent header, which is then written unescaped into exported Activity Report CSV files. When an administrator or report viewer opens the exported file in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the embedded formula executes within their local application environment, potentially enabling data exfiltration or arbitrary command execution on the viewer's workstation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged Snipe-IT user
Delivery
Send HTTP request with formula-prefixed User-Agent header
Exploit
Payload stored verbatim in activity log
Execution
Administrator exports Activity Report CSV
Persist
Administrator opens CSV in Excel or LibreOffice
Impact
Formula executes on admin workstation

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker possesses a valid, low-privileged authenticated account on the Snipe-IT instance (confirmed by PR:L in the CVSS 4.0 vector); (2) the attacker sends at least one authenticated HTTP request with a formula-prefixed User-Agent header, causing Actionlog::logaction() to store the payload; (3) a separate user - typically an administrator with access to the Reports module - must export the Activity Report and open the resulting CSV in spreadsheet software that evaluates formula elements (e.g., Microsoft Excel, LibreOffice Calc). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 (Medium) accurately reflects the constrained impact profile: while the attack is network-accessible with low complexity and low privilege (AV:N/AC:L/PR:L), mandatory active user interaction is required (UI:A) - a victim administrator must export and open the Activity Report CSV in formula-executing spreadsheet software before the payload fires. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Snipe-IT user sets their HTTP client's User-Agent header to a formula string such as =cmd|'/C powershell -enc ...'!A0 before making authenticated requests to the application. Snipe-IT logs this value verbatim in the activity table. …
Remediation Upgrade to Snipe-IT version 8.5.0, which resolves the issue via the fix committed at https://github.com/grokability/snipe-it/commit/7b7d2c87fbc965a7933b1bf9e3f2c331b8c8e19c; the vendor security advisory is at https://github.com/grokability/snipe-it/security/advisories/GHSA-whrx-mmgr-gpcf. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-5511 HIGH POC
8.8 Oct 11

Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. Rated high severity (CVSS 8.8),

CVE-2022-23064 HIGH POC
8.8 May 02

In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. Rated high severity (CVSS 8.8), this

CVE-2021-4130 HIGH POC
8.8 Dec 18

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2021-3858 HIGH POC
8.8 Oct 19

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2022-2997 HIGH POC
8.0 Aug 25

Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability

CVE-2022-1155 HIGH POC
7.4 Mar 30

Old sessions are not blocked by the login enable function. Rated high severity (CVSS 7.4), this vulnerability is remotel

CVE-2021-4075 HIGH POC
7.2 Dec 06

snipe-it is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.2), this vulnerability is remo

CVE-2024-48987 MEDIUM POC
6.6 Oct 11

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the AP

CVE-2022-1511 MEDIUM POC
6.5 Apr 28

Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnera

CVE-2021-4108 MEDIUM POC
6.1 Dec 14

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2021-3863 MEDIUM POC
6.1 Oct 19

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2025-65622 MEDIUM POC
5.4 Dec 01

Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user

Share

CVE-2026-55452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy