CVE-2026-55481
Received Received - Intake

Stored CSS Injection in Snipe-IT Prior to 8.6.2

Vulnerability report for CVE-2026-55481, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, default.blade.php renders header_color and related branding color settings inside a CSS style block with HTML escaping that is insufficient for the CSS context, allowing a superadmin to inject arbitrary CSS that affects authenticated users on subsequent page loads when Content Security Policy is disabled. This issue is fixed in version 8.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
snipe-it snipe-it to 8.6.2 (exc)
grokability snipe-it to 8.6.2 (inc)
grokability snipe-it to 8.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55481 is a CSS injection vulnerability in the Snipe-IT asset management system affecting versions 8.6.1 and earlier.

The issue arises because the application renders the header_color and related branding color settings inside a CSS style block using HTML escaping that is insufficient for CSS contexts.

This allows a superadmin to inject arbitrary CSS code by manipulating the header_color setting, which then affects authenticated users on subsequent page loads.

The vulnerability is worsened by the fact that Content Security Policy (CSP) is disabled by default in Snipe-IT, removing an important browser-level defense.

The injected CSS can be used to exfiltrate session tokens and other sensitive data from active user sessions by silently loading external resources.

This issue was fixed in version 8.6.2 by introducing CSS color validation to ensure only valid CSS color formats are accepted and by enabling CSP by default.

Impact Analysis

If exploited, this vulnerability allows a superadmin to inject malicious CSS that affects all authenticated users.

The injected CSS can be used to steal sensitive information such as session tokens and cookies from other users, including administrators.

This can lead to unauthorized access to user accounts, session hijacking, and potential further compromise of the system.

The impact is significant especially when Content Security Policy is disabled, as there is no browser-level protection against such CSS injection attacks.

Detection Guidance

This vulnerability involves a superadmin injecting arbitrary CSS via the header_color setting in Snipe-IT versions prior to 8.6.2. Detection involves checking for suspicious or malformed CSS values in the branding color settings, especially header_color.

Since the vulnerability allows CSS injection that can exfiltrate session tokens by loading external resources, network detection could involve monitoring outgoing HTTP requests for unusual or unexpected external resource loads originating from authenticated user sessions.

To detect the vulnerability on the system, you can:

  • Inspect the database or configuration files for header_color or related branding color settings containing suspicious CSS code or values that do not conform to valid CSS color formats.
  • Use grep or similar commands to search for suspicious CSS injection patterns in configuration files or database dumps, for example:
  • grep -i 'header_color' /path/to/snipe-it/config/*
  • grep -E 'url\(|expression\(|;|\{|\}' /path/to/snipe-it/config/*

On the network side, monitor HTTP traffic for unusual external resource requests that could indicate CSS exfiltration attempts.

Mitigation Strategies

To mitigate CVE-2026-55481 immediately, you should upgrade Snipe-IT to version 8.6.2 or later, where the vulnerability is fixed by adding proper CSS color validation.

If upgrading immediately is not possible, enable Content Security Policy (CSP) in your .env configuration file to block malicious CSS injection from executing in users' browsers.

Additionally, review and sanitize any existing header_color or branding color settings to ensure they contain only valid CSS color values and do not include injected CSS code.

Compliance Impact

The vulnerability allows a superadmin to inject arbitrary CSS that can exfiltrate session tokens and sensitive data such as cookies from authenticated users. This could lead to unauthorized access to user sessions and potentially expose personal or sensitive information managed within the Snipe-IT system.

Such unauthorized data exposure and session hijacking risks could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

The vulnerability is mitigated by enabling Content Security Policy (CSP) and applying CSS color validation, which prevents malicious CSS injection and helps maintain the confidentiality and integrity of user data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart