PT-2026-57265 · Snipe-It · Snipe-It
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-55464
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Snipe-IT versions prior to 8.6.2
Description
CommonMark escapes raw HTML but fails to sanitize
javascript: URIs within Markdown hyperlinks. This allows a user with assets.edit permissions to insert a malicious link into a markdown-textarea custom field. When another user views the asset detail page and clicks the link, arbitrary JavaScript is executed.Recommendations
Update to version 8.6.2.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Snipe-It