CVE-2026-55481 in Snipe-IT
Summary
by MITRE • 07/10/2026
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, default.blade.php renders header_color and related branding color settings inside a CSS style block with HTML escaping that is insufficient for the CSS context, allowing a superadmin to inject arbitrary CSS that affects authenticated users on subsequent page loads when Content Security Policy is disabled. This issue is fixed in version 8.6.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability exists within the Snipe-IT IT asset management system where the default.blade.php template file fails to properly sanitize user-controllable color settings during HTML rendering. This flaw specifically impacts the header_color and related branding color parameters that are rendered directly into CSS style blocks without adequate context-appropriate escaping mechanisms. The insufficient HTML escaping occurs within a CSS context where special characters can be interpreted as CSS syntax rather than literal text, creating a vector for malicious code injection.
The technical implementation of this vulnerability stems from the application's failure to apply context-specific sanitization techniques when processing user inputs destined for CSS rendering contexts. When superadmin users modify branding color settings through the administrative interface, these values are directly inserted into CSS style blocks without proper CSS escaping or encoding. This allows attackers with superadmin privileges to inject arbitrary CSS rules that can manipulate page appearance and potentially execute malicious code when CSP is disabled.
The operational impact of this vulnerability is significant as it enables persistent cross-site scripting attacks that affect all authenticated users who subsequently load pages containing the compromised color settings. The attack requires only a superadmin account, making it particularly dangerous in environments where administrative privileges are not properly restricted. Once injected, malicious CSS can modify page elements, redirect users to malicious sites, or perform other harmful actions that compromise user sessions and system integrity.
This vulnerability aligns with CWE-1004 which addresses insecure default configurations and CWE-79 which covers cross-site scripting flaws in web applications. The issue also maps to ATT&CK technique T1566 related to credential access through social engineering and T1213 which involves data from information repositories. The lack of proper input validation and output encoding in the context of CSS rendering represents a classic insecure coding practice that violates secure development principles.
The recommended mitigation strategy involves implementing proper CSS context escaping for all user-controllable inputs rendered within CSS blocks, upgrading to Snipe-IT version 8.6.2 which contains the necessary fixes, and ensuring Content Security Policy is properly configured to prevent unauthorized code execution. Additionally, administrators should conduct regular security reviews of all configurable parameters that can be rendered in sensitive contexts, implement principle of least privilege for administrative accounts, and establish robust input validation controls that consider the target execution context of all user-provided data.