Medium severity6.4OSV Advisory· Published Feb 3, 2026· Updated Apr 15, 2026

CVE-2019-25264

Description

Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users.

Affected products

Grokability/Snipe ItOSV
Range: 3.2.0, v3.0, v3.0-alpha, …

Patches

d19df4ded85c

https://github.com/grokability/snipe-itvia osv

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/snipe/snipe-it/releases/tag/v4.7.5nvd
snipeitapp.comnvd
www.exploit-db.com/exploits/47756nvd
www.vulncheck.com/advisories/snipe-it-open-source-asset-management-persistent-cross-site-scriptingnvd

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000