CVE-2026-55476
Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/itemType/itemId/cancelbyadmin?/requestingUser? accepts cancelbyadmin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that...