Vendor
Snipeitapp
Products
1
CVEs
5
Across products
5
Status
Private
Products
1- 5 CVEs
Recent CVEs
5| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-15602 | Hig | 0.50 | 8.8 | 0.00 | Mar 6, 2026 | Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance. | |
| CVE-2026-38533 | Med | 0.42 | 6.5 | 0.00 | Apr 14, 2026 | An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request. | |
| CVE-2025-47226 | 0.03 | — | 0.01 | May 2, 2025 | Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | ||
| CVE-2025-59713 | 0.00 | — | 0.00 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows unsafe deserialization. | ||
| CVE-2025-59712 | 0.00 | — | 0.00 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows XSS. |