cvedb.io
CVE-2026-55474
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-07-10T19:17:25.080 · Last modified 2026-07-10T20:16:47.220

Summary

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an authenticated attacker to traverse outside the intended directory and read arbitrary files accessible to the web server process. This issue is fixed in version 8.5.0.

Affected products

snipeitapp — snipe-it

Does this affect you?

Add your gear to cvedb and we'll alert you only when snipeitapp ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.