CVE-2026-55464 in snipe-itinfo

Summary

by MITRE • 07/10/2026

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a user with assets.edit permission to place a malicious link in a markdown-textarea custom field that executes arbitrary JavaScript when another user opens the asset detail page and clicks the link. This issue is fixed in version 8.6.2.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists within the Snipe-IT IT asset management system where the application fails to properly sanitize user input in markdown text areas. The flaw stems from the application's handling of CommonMark markdown parsing which correctly escapes raw HTML content but neglects to filter javascript: URIs present in hyperlink destinations. This oversight creates a cross-site scripting vulnerability that specifically targets users with assets.edit permissions who can inject malicious links into custom fields. When another user accesses the asset detail page and clicks such a link, the embedded javascript code executes within the context of the victim's browser session, potentially compromising their security.

The technical implementation of this vulnerability involves the markdown parser's insufficient sanitization routine that processes hyperlinks but fails to validate or strip javascript protocol references from URL destinations. This represents a classic XSS flaw where user-controlled input containing executable code is rendered in the application's output without proper validation. The vulnerability specifically impacts the custom field functionality within asset records, making it particularly dangerous as administrators and other users routinely interact with these detailed asset views. The exploitation requires minimal privileges since any user possessing assets.edit permission can craft malicious links, making this a low-barrier attack vector that could affect any organization using Snipe-IT.

The operational impact of this vulnerability extends beyond simple code execution as it allows attackers to potentially steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. Given that asset management systems often contain sensitive organizational data, this vulnerability could enable broader reconnaissance activities or privilege escalation depending on the victim's access level within the application. The attack is particularly insidious because it leverages legitimate application functionality - custom fields in asset records - making the malicious behavior appear normal to security monitoring systems and users alike.

Organizations should immediately upgrade to Snipe-IT version 8.6.2 which implements proper javascript URI sanitization in markdown hyperlink processing. Additional mitigations include implementing content security policies that restrict script execution within the application, conducting regular security reviews of custom field configurations, and educating users about the risks of clicking untrusted links even within internal applications. This vulnerability aligns with CWE-79 (Cross-site Scripting) and follows patterns seen in ATT&CK technique T1566 (Phishing) where malicious links are embedded in legitimate application interfaces to bypass user suspicion and security controls. The fix implemented in version 8.6.2 should include comprehensive input validation that strips javascript: protocols from all hyperlink destinations regardless of their context within the markdown parsing pipeline.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!