CVE-2026-55452 in snipe-itinfo

Summary

by MITRE • 07/10/2026

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction() stores the request User-Agent header and ReportsController::postActivityReport() writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a formula-like User-Agent that may execute when a report viewer opens the exported CSV in spreadsheet software. This issue is fixed in version 8.5.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability exists within Snipe-IT version 8.4.1 and earlier, where the application fails to properly sanitize user input during the logging process. Specifically, the Actionlog::logaction() method indiscriminately stores the User-Agent header from incoming HTTP requests without any sanitization or escaping mechanisms. This flaw becomes particularly dangerous when combined with the ReportsController::postActivityReport() functionality that exports this data to CSV format for reporting purposes.

The technical implementation of this vulnerability stems from a lack of proper input validation and output encoding in the data flow between user input collection and report generation. When a low-privileged authenticated user submits a request containing a specially crafted User-Agent header, the system blindly logs this value without considering its potential to be interpreted as spreadsheet formulas by applications like Microsoft Excel or LibreOffice Calc. The CSV export process does not implement formula escaping or encoding, allowing malicious payloads embedded within the User-Agent string to execute automatically when the report is opened in spreadsheet software.

This vulnerability presents a significant operational risk to organizations using Snipe-IT for asset management. The low privilege requirement means that any authenticated user with basic access rights can potentially exploit this weakness, making it particularly concerning for environments with shared or less restricted user accounts. When an administrator or other privileged user opens the exported CSV report in spreadsheet software, the malicious formulas contained within the User-Agent field would execute automatically, potentially leading to data exfiltration, system compromise, or other malicious activities. The attack vector is particularly insidious because it requires no special privileges beyond basic authentication and can be executed through legitimate application usage patterns.

The vulnerability aligns with CWE-15 (Improper Neutralization of Data within SQL Queries) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) while also mapping to ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) and T1059.003 (Command and Scripting Interpreter: Windows Command Shell). The root cause lies in the application's failure to implement proper output encoding when transitioning from database storage to CSV export formats, creating a chain of trust where user input flows directly into potentially dangerous execution contexts without adequate sanitization.

Organizations should immediately upgrade to Snipe-IT version 8.5.0 or later to remediate this vulnerability. In the interim, administrators can implement additional controls such as monitoring for suspicious User-Agent patterns in logs and implementing network-level restrictions on CSV file downloads. The recommended mitigation strategy involves ensuring that all user-supplied data is properly escaped or encoded before being written to export formats, particularly when those formats are intended for use in spreadsheet applications where formula interpretation may occur. Additionally, organizations should consider implementing automated scanning of exported files for potentially malicious content and establish proper access controls to limit who can generate and download activity reports.

The fix implemented in version 8.5.0 addresses this vulnerability by introducing proper input sanitization mechanisms within the logging and export processes. The system now properly escapes or removes potentially dangerous characters from user-supplied data before storing it in the database and before writing it to CSV export files. This approach follows industry best practices for preventing formula injection attacks in spreadsheet applications and aligns with security frameworks that emphasize the principle of least privilege and proper input validation at all levels of application processing. The remediation ensures that even if malicious User-Agent strings are submitted, they cannot be executed when the reports are opened in spreadsheet software due to proper escaping of formula characters during the export process.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!