CVE-2026-55452
Received Received - Intake

Stored Formula Injection in Snipe-IT Reports

Vulnerability report for CVE-2026-55452, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. This issue is fixed in version 8.5.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
snipe-it snipe-it 8.5.0
grokability snipe-it 8.5.0
grokability snipe-it to 8.6.2 (exc)
grokability snipe-it 8.6.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55452 is a CSV formula injection vulnerability in the Snipe-IT asset management system affecting versions 8.6.1 and lower.

The issue occurs because the application stores the User-Agent header from HTTP requests in the activity log without proper sanitization.

When an authenticated user with low privileges sets a formula-like User-Agent (for example, =HYPERLINK("https://example.com/","click")), it gets logged.

If an administrator or report viewer later exports the Activity Report as a CSV and opens it in spreadsheet software like Microsoft Excel or LibreOffice Calc, the embedded formula may execute.

This execution can lead to unintended actions such as making web requests to external servers.

The vulnerability was patched in version 8.6.2 of Snipe-IT.

Impact Analysis

This vulnerability can impact you by allowing a low-privileged authenticated user to inject malicious formulas into CSV reports.

When these reports are exported and opened by administrators or other users in spreadsheet software, the malicious formulas may execute.

Such execution can cause unintended actions, including making unauthorized web requests to external servers, potentially leading to data leakage or further exploitation.

This can compromise the security and integrity of your asset management data and expose your environment to additional risks.

Detection Guidance

This vulnerability can be detected by checking the Activity Report CSV exports for formula-like User-Agent entries that may execute when opened in spreadsheet software.

Specifically, look for User-Agent strings in the activity logs that start with characters like '=', '+', '-', or '@', which are typical indicators of CSV formula injection attempts.

You can search the logs or exported CSV files for suspicious User-Agent headers using commands like:

  • grep -E 'User-Agent.*^[=+\-@]' activity_log.csv
  • grep -E '^(=|\+|\-|@)' exported_report.csv

Additionally, monitoring HTTP request headers for unusual User-Agent values containing formula syntax can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where this CSV formula injection vulnerability has been patched.

If upgrading immediately is not possible, enable CSV formula escaping by configuring the application to escape formulas in exported CSV files. This can be done by setting the `CSV_ESCAPE_FORMULAS` configuration in the .env file and ensuring the application uses the `League\Csv\EscapeFormula` class to sanitize CSV exports.

Additionally, restrict low-privileged users from submitting malicious User-Agent headers or limit access to the Activity Report exports to trusted users only.

Compliance Impact

The vulnerability allows a low-privileged authenticated user to inject formula-like content into CSV exports via the User-Agent header, which may execute when opened in spreadsheet software. This could lead to unintended actions such as making web requests to external servers.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such a vulnerability could potentially impact compliance by exposing sensitive data or enabling unauthorized data exfiltration through malicious CSV formulas.

Organizations subject to these regulations should consider this vulnerability a risk to data integrity and confidentiality, and apply the patch (version 8.6.2 or later) to mitigate potential compliance issues.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart