Snipeitapp
Products
1- 46 CVEs
Recent CVEs
46| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-37709 | Cri | 0.57 | 9.8 | 0.00 | May 7, 2026 | Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component | ||
| CVE-2025-15602 | Hig | 0.50 | 8.8 | 0.00 | Mar 6, 2026 | Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user… | ||
| CVE-2026-38533 | Med | 0.42 | 6.5 | 0.00 | Apr 14, 2026 | An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request. | ||
| CVE-2026-48507 | Hig | 0.39 | 7.1 | 0.00 | Jun 8, 2026 | Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a… | ||
| CVE-2026-54329 | hig | 0.38 | — | — | Jun 23, 2026 | ### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by… | ||
| CVE-2019-25264 | Med | 0.35 | 6.4 | 0.00 | Feb 3, 2026 | Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users. | ||
| CVE-2025-63743 | Med | 0.28 | 5.4 | 0.00 | Apr 13, 2026 | Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The… | ||
| CVE-2026-44831 | Med | 0.24 | 4.8 | 0.00 | May 26, 2026 | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1. | ||
| CVE-2026-55482 | med | 0.19 | — | — | Jun 23, 2026 | ### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets… | ||
| CVE-2026-55519 | low | 0.00 | — | — | Jun 23, 2026 | ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an… | ||
| CVE-2025-65621 | 0.00 | — | 0.00 | Dec 1, 2025 | Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | |||
| CVE-2025-65622 | 0.00 | — | 0.00 | Dec 1, 2025 | Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | |||
| CVE-2025-63601 | 0.00 | — | 0.01 | Nov 5, 2025 | Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands. | |||
| CVE-2025-59712 | 0.00 | — | 0.00 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows XSS. | |||
| CVE-2025-59713 | 0.00 | — | 0.00 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows unsafe deserialization. | |||
| CVE-2025-47226 | 0.00 | — | 0.01 | May 2, 2025 | Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | |||
| CVE-2024-51094 | 0.00 | — | 0.00 | Nov 12, 2024 | An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the… | |||
| CVE-2024-5685 | 0.00 | — | 0.00 | Jun 14, 2024 | Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1. | |||
| CVE-2023-5511 | 0.00 | — | 0.00 | Oct 11, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. | |||
| CVE-2023-5452 | 0.00 | — | 0.01 | Oct 6, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2. |
- risk 0.57cvss 9.8epss 0.00
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
- risk 0.50cvss 8.8epss 0.00
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user…
- risk 0.42cvss 6.5epss 0.00
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
- risk 0.39cvss 7.1epss 0.00
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a…
- risk 0.38cvss —epss —
### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by…
- risk 0.35cvss 6.4epss 0.00
Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users.
- risk 0.28cvss 5.4epss 0.00
Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The…
- risk 0.24cvss 4.8epss 0.00
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
- risk 0.19cvss —epss —
### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets…
- risk 0.00cvss —epss —
### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an…
- CVE-2025-65621Dec 1, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
- CVE-2025-65622Dec 1, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
- CVE-2025-63601Nov 5, 2025risk 0.00cvss —epss 0.01
Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands.
- CVE-2025-59712Sep 19, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.1.18 allows XSS.
- CVE-2025-59713Sep 19, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.1.18 allows unsafe deserialization.
- CVE-2025-47226May 2, 2025risk 0.00cvss —epss 0.01
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
- CVE-2024-51094Nov 12, 2024risk 0.00cvss —epss 0.00
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the…
- CVE-2024-5685Jun 14, 2024risk 0.00cvss —epss 0.00
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
- CVE-2023-5511Oct 11, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
- CVE-2023-5452Oct 6, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.