CVE-2026-55464
Severity CVSS v4.0:
MEDIUM
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a user with assets.edit permission to place a malicious link in a markdown-textarea custom field that executes arbitrary JavaScript when another user opens the asset detail page and clicks the link. This issue is fixed in version 8.6.2.
Impact
Base Score 4.0
4.80
Severity 4.0
MEDIUM
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:* | 8.6.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



