VYPR

Snipe It

by Grokability

Source repositories

CVEs (11)

  • CVE-2026-37709CriMay 7, 2026
    risk 0.57cvss 9.8epss 0.00

    Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

  • CVE-2026-44832HigMay 26, 2026
    risk 0.50cvss 8.8epss 0.00

    Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the…

  • CVE-2026-48507HigJun 8, 2026
    risk 0.39cvss 7.1epss 0.00

    Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a…

  • CVE-2019-25264MedFeb 3, 2026
    risk 0.35cvss 6.4epss 0.00

    Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users.

  • CVE-2026-44833MedMay 26, 2026
    risk 0.31cvss 5.9epss 0.00

    Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.

  • CVE-2026-44831MedMay 26, 2026
    risk 0.24cvss 4.8epss 0.00

    Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.

  • CVE-2026-55483medJun 23, 2026
    risk 0.19cvss epss

    ### Impact The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new user…

  • CVE-2026-48492medJun 23, 2026
    risk 0.19cvss epss

    ### Impact The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated…

  • CVE-2026-55542lowJun 23, 2026
    risk 0.00cvss epss

    ### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the…

  • CVE-2026-55519lowJun 23, 2026
    risk 0.00cvss epss

    ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an…

  • CVE-2026-48493Jun 23, 2026
    risk 0.00cvss epss 0.00

    Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`,…