PT-2026-57267 · Snipe-It · Snipe-It
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-55474
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Snipe-IT versions prior to 8.5.0
Description
An authenticated attacker can read arbitrary files accessible to the web server process. This occurs because the
displaySig function within the ActionlogController concatenates the filename route parameter into a private upload-directory path without proper sanitization, enabling directory traversal.Recommendations
Update to version 8.5.0.
Fix
Relative Path Traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Snipe-It