CVE-2026-55469 PUBLISHED

Snipe-IT: Path traversal vulnerability via CSV import `image` field

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the server process. This issue is fixed in version 8.6.2.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 6.5

Product Status

Vendor grokability
Product snipe-it
Versions
  • Version < 8.6.2 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE