| Vendor | Product | Version Range | Status |
|---|---|---|---|
| grokability | snipe-it | < 8.6.2 | affected |
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| grokability | snipe-it | < 8.6.2 | - |
| # | POC Description | Source Link | Shenlong Link |
|---|
| CVE-2026-55516 | 7.7 HIGH | Snipe-IT: Cross-company asset maintenance re-parenting via API update |
| CVE-2026-55460 | 7.1 HIGH | Snipe-IT: Authorization bypass on bulk editing users |
| CVE-2026-55469 | 6.5 MEDIUM | Snipe-IT: Path traversal vulnerability via CSV import `image` field |
| CVE-2026-55461 | 6.1 MEDIUM | Snipe-IT: Open Redirect After User Edit |
| CVE-2026-55475 | 5.7 MEDIUM | Snipe-IT: Import created_by can be overwritten |
| CVE-2026-55515 | 5.0 MEDIUM | Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpo |
| CVE-2026-55462 | 4.3 MEDIUM | Snipe-IT: Authorization bypass on print inventory page |
| CVE-2026-55472 | 4.3 MEDIUM | Snipe-IT: API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation |
| CVE-2026-55452 | Snipe-IT: CSV formula injection in Activity Report export | |
| CVE-2026-55481 | Snipe-IT: CSS Injection via `header_color` Setting | |
| CVE-2026-55466 | Snipe-IT: Stored XSS via inline-served attachment | |
| CVE-2026-55479 | Snipe-IT: Incorrect permission for legacy license checkin API | |
| CVE-2026-55474 | Snipe-IT: Directory traversal in displaySig | |
| CVE-2026-55478 | Snipe-IT: Missing object-level authorization in Kits API | |
| CVE-2026-55464 | Snipe-IT: Stored XSS via Markdown custom field | |
| CVE-2026-55843 | Snipe-IT: Improper Privilege Management | |
| CVE-2026-55476 | Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter |
No comments yet