CVE-2026-55461
Received Received - Intake

Stored XSS via Referer Header in Snipe-IT

Vulnerability report for CVE-2026-55461, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the user edit flow stores url()->previous() from the attacker-controlled Referer header into Laravel’s intended URL session value and later uses redirect()->intended(...) when redirect_option=back is submitted, allowing Snipe-IT to be used as a trusted redirector after a legitimate user edit action. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
snipeit snipeit 8.6.2
grokability snipe-it to 8.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55461 is a moderate severity open redirect vulnerability in the Snipe-IT asset management system affecting versions 8.6.1 and earlier.

The issue occurs in the user edit flow where the application stores the previous URL from the attacker-controlled Referer header into Laravel's intended URL session value.

When a user submits the edit form with redirect_option=back, the application redirects them using this stored URL via redirect()->intended(). Since the Referer header can be controlled by an attacker, this allows an authenticated user with edit permissions to be redirected to an external attacker-controlled site after performing a legitimate user edit action.

This vulnerability can be exploited to support phishing or trust-boundary attacks against Snipe-IT users.

The vulnerability was fixed in version 8.6.2.

Impact Analysis

This vulnerability can impact you by allowing an attacker to redirect authenticated users with edit permissions to malicious external websites after they perform legitimate user edit actions.

Such redirections can be used to facilitate phishing attacks or other trust-boundary violations, potentially leading to credential theft or other malicious activities.

The attack requires user interaction and affects confidentiality and integrity to a low degree, but it can still undermine user trust and security.

Detection Guidance

This vulnerability involves the user edit flow in Snipe-IT versions 8.6.1 and earlier, where the Referer header is stored and later used for redirection. Detection involves monitoring for unusual redirect behavior after user edit actions, especially redirects to external or unexpected URLs.

To detect exploitation attempts, you can inspect HTTP request logs for user edit requests that include the parameter redirect_option=back and check if the Referer header contains suspicious or external URLs.

  • Use web server logs or application logs to search for requests to the user edit endpoint with redirect_option=back.
  • Check for Referer headers in these requests that point to external or attacker-controlled domains.
  • Example command to search Apache or Nginx logs for such requests: grep -i 'redirect_option=back' /var/log/nginx/access.log | grep -i 'Referer:'
  • Use tools like curl or Burp Suite to manually test the user edit flow by setting the Referer header to an external URL and submitting the form with redirect_option=back to observe if redirection occurs.
Mitigation Strategies

The primary mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, consider restricting access to the user edit functionality to trusted users only and monitor for suspicious redirect behavior.

Additionally, educate users about the risk of phishing attacks that may exploit this redirect vulnerability.

Compliance Impact

The vulnerability in Snipe-IT allows an attacker-controlled redirect after a legitimate user edit action, which can be exploited for phishing or trust-boundary attacks. This could potentially lead to unauthorized disclosure of information or user credentials if users are redirected to malicious sites.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such open redirect vulnerabilities can undermine security controls required by these regulations by enabling phishing attacks or unauthorized access, thereby potentially impacting confidentiality and integrity of sensitive data.

The vulnerability has a low impact on confidentiality and integrity according to the CVSS score, but organizations using affected versions should consider the risk of phishing and trust-boundary attacks in their compliance assessments and apply the patch to mitigate these risks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart