CVE-2026-55464

Severity CVSS v4.0:
MEDIUM
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
10/07/2026
Last modified:
10/07/2026

Description

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a user with assets.edit permission to place a malicious link in a markdown-textarea custom field that executes arbitrary JavaScript when another user opens the asset detail page and clicks the link. This issue is fixed in version 8.6.2.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:snipeitapp:snipe-it:*:*:*:*:*:*:*:* 8.6.2 (excluding)