PT-2026-57267 · Snipe-It · Snipe-It

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-55474

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.5.0
Description An authenticated attacker can read arbitrary files accessible to the web server process. This occurs because the displaySig function within the ActionlogController concatenates the filename route parameter into a private upload-directory path without proper sanitization, enabling directory traversal.
Recommendations Update to version 8.5.0.

Fix

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55474

Affected Products

Snipe-It