Skip to main content

Snipe-IT CVE-2026-55469

| EUVDEUVD-2026-43000 MEDIUM
Path Traversal (CWE-22)
2026-07-10 security-advisories@github.com
6.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
6.5 MEDIUM

Network vector via web interface; PR:H because both import and assets.update permissions must be held; no confidentiality impact as only deletion occurs.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 21:02 EUVD
Analysis Generated
Jul 10, 2026 - 20:44 vuln.today

DescriptionCVE.org

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the server process. This issue is fixed in version 8.6.2.

AnalysisAI

Arbitrary file deletion in Snipe-IT prior to 8.6.2 allows an authenticated attacker holding both import and assets.update permissions to delete any file readable by the server process via a path traversal string injected into the asset image field during CSV import. The vulnerability is triggered in a two-stage pattern: first importing a crafted CSV, then invoking the image deletion action, which follows the unsanitized path without boundary checks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with import+assets.update account
Delivery
Craft CSV with path traversal in image field
Exploit
Submit CSV via import endpoint
Execution
Trigger asset image deletion action
Impact
Server deletes arbitrary targeted file

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with a Snipe-IT account that has been granted BOTH the import permission AND the assets.update permission - two distinct, administratively-assigned roles that must coexist on the same account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS base score of 6.5 with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H accurately reflects the threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a Snipe-IT account with both import and assets.update permissions prepares a CSV file containing a crafted asset image field value such as '../../var/www/snipe-it/.env' or another sensitive server path. After importing the CSV via the standard import interface, the attacker triggers the asset image deletion action on the affected record, causing the server to delete the targeted file outside the intended upload directory. …
Remediation Upgrade Snipe-IT to version 8.6.2 or later, which contains the patch referenced in commit abc4363e8393b29a5566b8c50144426af72bbc97 (https://github.com/grokability/snipe-it/commit/abc4363e8393b29a5566b8c50144426af72bbc97). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-5511 HIGH POC
8.8 Oct 11

Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. Rated high severity (CVSS 8.8),

CVE-2022-23064 HIGH POC
8.8 May 02

In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. Rated high severity (CVSS 8.8), this

CVE-2021-4130 HIGH POC
8.8 Dec 18

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2021-3858 HIGH POC
8.8 Oct 19

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2022-2997 HIGH POC
8.0 Aug 25

Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability

CVE-2022-1155 HIGH POC
7.4 Mar 30

Old sessions are not blocked by the login enable function. Rated high severity (CVSS 7.4), this vulnerability is remotel

CVE-2021-4075 HIGH POC
7.2 Dec 06

snipe-it is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.2), this vulnerability is remo

CVE-2024-48987 MEDIUM POC
6.6 Oct 11

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the AP

CVE-2022-1511 MEDIUM POC
6.5 Apr 28

Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. Rated medium severity (CVSS 6.5), this vulnera

CVE-2021-4108 MEDIUM POC
6.1 Dec 14

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2021-3863 MEDIUM POC
6.1 Oct 19

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2025-65622 MEDIUM POC
5.4 Dec 01

Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user

Share

CVE-2026-55469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy