CVE-2026-55476 Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter
Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/itemType/itemId/cancelbyadmin?/requestingUser? accepts cancelbyadmin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that...