Packagist (Composer) package
snipe/snipe-it
pkg:composer/snipe/snipe-it
Vulnerabilities (46)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44833 | med | — | < 8.4.1 | 8.4.1 | May 8, 2026 | Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. ### Impact - **Phishing**: Redirect users to fake login pages to steal credentials - **Session Hijacking**: Redirect | |
| CVE-2026-44832 | hig | — | < 8.4.1 | 8.4.1 | May 8, 2026 | ### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing | |
| CVE-2026-44831 | med | — | < 8.4.1 | 8.4.1 | May 8, 2026 | ### Impact Users with component view access could be impacted by an unescaped `notes` column. ### Patches This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater. ### Workarounds None. | |
| CVE-2026-37709 | Cri | 9.8 | < 8.4.1 | 8.4.1 | May 7, 2026 | Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component | |
| CVE-2025-15602 | Hig | 8.8 | < 8.3.7 | 8.3.7 | Mar 6, 2026 | Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, | |
| CVE-2025-65622 | — | < 8.3.4 | 8.3.4 | Dec 1, 2025 | Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | ||
| CVE-2025-65621 | — | < 8.3.4 | 8.3.4 | Dec 1, 2025 | Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | ||
| CVE-2025-64027 | — | <= 8.3.4 | — | Nov 20, 2025 | Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can inte | ||
| CVE-2025-59713 | — | < 8.1.18 | 8.1.18 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows unsafe deserialization. | ||
| CVE-2025-59712 | — | < 8.1.18 | 8.1.18 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows XSS. | ||
| CVE-2025-47226 | — | < 8.1.0 | 8.1.0 | May 2, 2025 | Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | ||
| CVE-2024-51093 | — | <= 7.0.13 | — | Nov 12, 2024 | Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. This can lead to privilege escalation when the payload is executed, granting the attacker super admin permissions within the Snipe-I | ||
| CVE-2024-48987 | — | < 7.0.10 | 7.0.10 | Oct 11, 2024 | Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. | ||
| CVE-2024-5685 | — | < 6.4.2 | 6.4.2 | Jun 14, 2024 | Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1. | ||
| CVE-2023-5511 | — | < 6.2.3 | 6.2.3 | Oct 11, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. | ||
| CVE-2023-5452 | — | < 6.2.2 | 6.2.2 | Oct 6, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2. | ||
| CVE-2022-44381 | — | <= 6.0.14 | — | Dec 25, 2022 | Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request. | ||
| CVE-2022-44380 | — | < 6.0.14 | 6.0.14 | Dec 25, 2022 | Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets. | ||
| CVE-2022-3173 | — | < 6.0.10 | 6.0.10 | Sep 17, 2022 | Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10. | ||
| CVE-2022-3035 | — | < 6.0.11 | 6.0.11 | Aug 29, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11. |
- affected < 8.4.1fixed 8.4.1
Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. ### Impact - **Phishing**: Redirect users to fake login pages to steal credentials - **Session Hijacking**: Redirect
- affected < 8.4.1fixed 8.4.1
### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing
- affected < 8.4.1fixed 8.4.1
### Impact Users with component view access could be impacted by an unescaped `notes` column. ### Patches This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater. ### Workarounds None.
- affected < 8.4.1fixed 8.4.1
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
- affected < 8.3.7fixed 8.3.7
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account,
- CVE-2025-65622Dec 1, 2025affected < 8.3.4fixed 8.3.4
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
- CVE-2025-65621Dec 1, 2025affected < 8.3.4fixed 8.3.4
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
- CVE-2025-64027Nov 20, 2025affected <= 8.3.4
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can inte
- CVE-2025-59713Sep 19, 2025affected < 8.1.18fixed 8.1.18
Snipe-IT before 8.1.18 allows unsafe deserialization.
- CVE-2025-59712Sep 19, 2025affected < 8.1.18fixed 8.1.18
Snipe-IT before 8.1.18 allows XSS.
- CVE-2025-47226May 2, 2025affected < 8.1.0fixed 8.1.0
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
- CVE-2024-51093Nov 12, 2024affected <= 7.0.13
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. This can lead to privilege escalation when the payload is executed, granting the attacker super admin permissions within the Snipe-I
- CVE-2024-48987Oct 11, 2024affected < 7.0.10fixed 7.0.10
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.
- CVE-2024-5685Jun 14, 2024affected < 6.4.2fixed 6.4.2
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
- CVE-2023-5511Oct 11, 2023affected < 6.2.3fixed 6.2.3
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
- CVE-2023-5452Oct 6, 2023affected < 6.2.2fixed 6.2.2
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.
- CVE-2022-44381Dec 25, 2022affected <= 6.0.14
Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.
- CVE-2022-44380Dec 25, 2022affected < 6.0.14fixed 6.0.14
Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.
- CVE-2022-3173Sep 17, 2022affected < 6.0.10fixed 6.0.10
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.
- CVE-2022-3035Aug 29, 2022affected < 6.0.11fixed 6.0.11
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
Page 1 of 3