CVE-2026-55475
Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and
CVSS
5.7
Medium
EPSS
0.2%
p9
KEV
—
Exploit Today
3
0-100
Published: Jul 10, 2026 · Last modified: Jul 14, 2026 · CWE-863
0.2%EPSS · 30 days0.2%
2026-07-112026-07-17
Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the created_by value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in version 8.6.1.
- github.comhttps://github.com/grokability/snipe-it/commit/39fbe983132feca2ef15c1c0200fcc77c23a1434
- github.comhttps://github.com/grokability/snipe-it/pull/19072
- github.comhttps://github.com/grokability/snipe-it/releases/tag/v8.6.1
- github.comhttps://github.com/grokability/snipe-it/security/advisories/GHSA-5wx7-xq8j-v4qm
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-350298.8 HIG97.8%
——29LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment variables, register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution, read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image, and take over other privileged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables. Fixed in v1.83.0.3dCVE-2026-479967.6 HIG96.9%
——29Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.3dCVE-2025-324622.8 LOW86.9%
——26Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.4dCVE-2021-289367.5 HIG78.8%
——24The Acexy Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) Web management administrator password can be changed by sending a specially crafted HTTP GET request. The administrator username has to be known (default:admin) whereas no previous authentication is required.9dCVE-2021-406397.5 HIG64.4%
——19Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.9dCVE-2022-366348.8 HIG59.5%
——18An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.9d