VYPR
← All advisories
Medium severityGHSA Advisory· Published May 8, 2026

Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)

CVE-2026-44831

Description

Impact

Users with component view access could be impacted by an unescaped notes column.

Patches

This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater.

Workarounds

None.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
snipe/snipe-itPackagist
< 8.4.18.4.1

Affected products

1

Patches

1
28f493d84d05

Escape pivot notes

https://github.com/grokability/snipe-itsnipeMar 9, 2026via ghsa
commit
1 file changed · +1 1
  • app/Http/Transformers/ComponentsTransformer.php+1 1 modified
    @@ -91,7 +91,7 @@ public function transformCheckedoutComponents(Collection $components_assets, $to
                 'id' => (int) $asset->id,
                 'name' =>  e($asset->model->display_name).' '.e($asset->display_name),
                 'qty' => $asset->pivot->assigned_qty,
-                'note' => $asset->pivot->note,
+                'note' => e($asset->pivot->note),
                 'type' => 'asset',
                 'created_at' => Helper::getFormattedDateObject($asset->pivot->created_at, 'datetime'),
                 'available_actions' => ['checkin' => true],

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.