CVE-2026-55466
Received Received - Intake

Stored XSS in Snipe-IT via SVG Upload

Vulnerability report for CVE-2026-55466, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline(), allowing a low-privilege user to upload active XHTML or XML content that is later served same-origin and executes JavaScript in a viewer’s browser. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
snipe-it snipe-it 8.6.2
grokability snipe-it to 8.6.2 (exc)
grokability snipe-it From 8.6.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows a low-privilege user to upload malicious XHTML or XML content that executes JavaScript in a viewer's browser, potentially leading to unauthorized access to sensitive information such as cookies.

Such unauthorized script execution can result in data breaches or exposure of personal or sensitive data, which may violate data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

Therefore, the presence of this vulnerability could negatively impact compliance with these standards by enabling cross-site scripting attacks that compromise data confidentiality and integrity.

Executive Summary

CVE-2026-55466 is a stored cross-site scripting (XSS) vulnerability in the Snipe-IT asset management system affecting versions 8.6.1 and earlier.

The vulnerability arises because the system sanitizes SVG uploads only when the MIME type is detected as image/svg+xml by PHP's finfo, but it allows uploading XML files (such as XHTML) without proper sanitization.

A low-privilege user can upload a malicious XHTML or XML file containing embedded JavaScript. When this file is served inline by the application without proper safety checks, the browser executes the embedded script, leading to XSS.

The root cause is that the inline serving path does not enforce the StorageHelper::allowSafeInline() whitelist, allowing unsafe inline rendering of uploaded files.

This issue was fixed in version 8.6.2 by adding proper checks before serving files inline.

Impact Analysis

This vulnerability can allow an attacker with low privileges to execute arbitrary JavaScript in the browsers of users who view the malicious uploaded file.

  • Execution of malicious scripts can lead to theft of cookies or session tokens.
  • It can result in unauthorized actions performed on behalf of the victim user.
  • It may lead to compromise of user accounts or sensitive information accessible through the browser session.
  • Overall, it undermines the security and trustworthiness of the application.
Detection Guidance

This vulnerability can be detected by checking if your Snipe-IT installation allows uploading XML or XHTML files that are served inline without proper sanitization or validation.

One way to detect it is to attempt uploading an XML or XHTML file containing JavaScript payloads and then accessing the file via the inline=true parameter to see if the script executes in the browser.

You can also inspect the server code or configuration to verify if the StorageHelper::allowSafeInline() check is implemented when serving files inline.

No specific commands are provided in the resources, but general detection steps include:

  • Attempt uploading a .xml or .xhtml file with embedded JavaScript payload.
  • Access the uploaded file via the inline=true parameter in the download URL.
  • Observe if the JavaScript executes in the browser, indicating the vulnerability.
  • Check the Snipe-IT version; versions prior to 8.6.2 are vulnerable.
Mitigation Strategies

The immediate mitigation step is to upgrade Snipe-IT to version 8.6.2 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, restrict or disable the ability for low-privilege users to upload XML or XHTML files.

Additionally, review and apply the patch that introduces the StorageHelper::allowSafeInline() check before serving files inline, ensuring unsafe files are not rendered inline.

Consider monitoring and blocking suspicious file uploads and inline file serving until the patch or upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart