VYPR

Snipe It

by Snipeitapp

Source repositories

CVEs (46)

  • CVE-2026-37709CriMay 7, 2026
    risk 0.57cvss 9.8epss 0.00

    Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

  • CVE-2025-15602HigMar 6, 2026
    risk 0.50cvss 8.8epss 0.00

    Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user…

  • CVE-2026-38533MedApr 14, 2026
    risk 0.42cvss 6.5epss 0.00

    An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.

  • CVE-2026-48507HigJun 8, 2026
    risk 0.39cvss 7.1epss 0.00

    Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a…

  • CVE-2026-54329higJun 23, 2026
    risk 0.38cvss epss

    ### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by…

  • CVE-2019-25264MedFeb 3, 2026
    risk 0.35cvss 6.4epss 0.00

    Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users.

  • CVE-2025-63743MedApr 13, 2026
    risk 0.28cvss 5.4epss 0.00

    Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The…

  • CVE-2026-44831MedMay 26, 2026
    risk 0.24cvss 4.8epss 0.00

    Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.

  • CVE-2026-55482medJun 23, 2026
    risk 0.19cvss epss

    ### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets…

  • CVE-2026-55519lowJun 23, 2026
    risk 0.00cvss epss

    ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an…

  • CVE-2025-65622Dec 1, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.

  • CVE-2025-65621Dec 1, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.

  • CVE-2025-63601Nov 5, 2025
    risk 0.00cvss epss 0.01

    Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands.

  • CVE-2025-59713Sep 19, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.1.18 allows unsafe deserialization.

  • CVE-2025-59712Sep 19, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.1.18 allows XSS.

  • CVE-2025-47226May 2, 2025
    risk 0.00cvss epss 0.01

    Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.

  • CVE-2024-51094Nov 12, 2024
    risk 0.00cvss epss 0.00

    An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the…

  • CVE-2024-5685Jun 14, 2024
    risk 0.00cvss epss 0.00

    Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.

  • CVE-2023-5511Oct 11, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.

  • CVE-2023-5452Oct 6, 2023
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.

Page 1 of 3