Vendor CVEs
Snipeitapp
All CVEs
46 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-37709 | Cri | 0.57 | 9.8 | 0.00 | May 7, 2026 | Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component | ||
| CVE-2025-15602 | Hig | 0.50 | 8.8 | 0.00 | Mar 6, 2026 | Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user… | ||
| CVE-2026-38533 | Med | 0.42 | 6.5 | 0.00 | Apr 14, 2026 | An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request. | ||
| CVE-2026-48507 | Hig | 0.39 | 7.1 | 0.00 | Jun 8, 2026 | Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a… | ||
| CVE-2026-54329 | hig | 0.38 | — | — | Jun 23, 2026 | ### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by… | ||
| CVE-2019-25264 | Med | 0.35 | 6.4 | 0.00 | Feb 3, 2026 | Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users. | ||
| CVE-2025-63743 | Med | 0.28 | 5.4 | 0.00 | Apr 13, 2026 | Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The… | ||
| CVE-2026-44831 | Med | 0.24 | 4.8 | 0.00 | May 26, 2026 | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1. | ||
| CVE-2026-55482 | med | 0.19 | — | — | Jun 23, 2026 | ### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets… | ||
| CVE-2026-55519 | low | 0.00 | — | — | Jun 23, 2026 | ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an… | ||
| CVE-2025-65621 | 0.00 | — | 0.00 | Dec 1, 2025 | Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | |||
| CVE-2025-65622 | 0.00 | — | 0.00 | Dec 1, 2025 | Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | |||
| CVE-2025-63601 | 0.00 | — | 0.01 | Nov 5, 2025 | Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands. | |||
| CVE-2025-59712 | 0.00 | — | 0.00 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows XSS. | |||
| CVE-2025-59713 | 0.00 | — | 0.00 | Sep 19, 2025 | Snipe-IT before 8.1.18 allows unsafe deserialization. | |||
| CVE-2025-47226 | 0.00 | — | 0.01 | May 2, 2025 | Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. | |||
| CVE-2024-51094 | 0.00 | — | 0.00 | Nov 12, 2024 | An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the… | |||
| CVE-2024-5685 | 0.00 | — | 0.00 | Jun 14, 2024 | Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1. | |||
| CVE-2023-5511 | 0.00 | — | 0.00 | Oct 11, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. | |||
| CVE-2023-5452 | 0.00 | — | 0.01 | Oct 6, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2. | |||
| CVE-2022-3173 | 0.00 | — | 0.01 | Sep 17, 2022 | Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10. | |||
| CVE-2022-3035 | 0.00 | — | 0.01 | Aug 29, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11. | |||
| CVE-2022-2997 | 0.00 | — | 0.01 | Aug 25, 2022 | Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. | |||
| CVE-2022-23064 | 0.00 | — | 0.01 | May 2, 2022 | In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus… | |||
| CVE-2022-1511 | 0.00 | — | 0.01 | Apr 28, 2022 | Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. | |||
| CVE-2022-1445 | 0.00 | — | 0.01 | Apr 24, 2022 | Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie. | |||
| CVE-2022-1380 | 0.00 | — | 0.01 | Apr 16, 2022 | Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie. | |||
| CVE-2022-1155 | 0.00 | — | 0.01 | Mar 30, 2022 | Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10. | |||
| CVE-2022-0622 | 0.00 | — | 0.01 | Feb 17, 2022 | Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11. | |||
| CVE-2022-0611 | 0.00 | — | 0.01 | Feb 15, 2022 | Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11. | |||
| CVE-2022-0579 | 0.00 | — | 0.01 | Feb 14, 2022 | Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9. | |||
| CVE-2022-0569 | 0.00 | — | 0.01 | Feb 12, 2022 | Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9. | |||
| CVE-2022-0178 | 0.00 | — | 0.01 | Jan 13, 2022 | Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8. | |||
| CVE-2022-0179 | 0.00 | — | 0.01 | Jan 12, 2022 | snipe-it is vulnerable to Missing Authorization | |||
| CVE-2021-4130 | 0.00 | — | 0.00 | Dec 18, 2021 | snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-4108 | 0.00 | — | 0.01 | Dec 14, 2021 | snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-4089 | 0.00 | — | 0.01 | Dec 10, 2021 | snipe-it is vulnerable to Improper Access Control | |||
| CVE-2021-4075 | 0.00 | — | 0.01 | Dec 6, 2021 | snipe-it is vulnerable to Server-Side Request Forgery (SSRF) | |||
| CVE-2021-4018 | 0.00 | — | 0.01 | Dec 1, 2021 | snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-3961 | 0.00 | — | 0.01 | Nov 19, 2021 | snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-3931 | 0.00 | — | 0.00 | Nov 13, 2021 | snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2021-3938 | 0.00 | — | 0.01 | Nov 13, 2021 | snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-3879 | 0.00 | — | 0.01 | Oct 19, 2021 | snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-3863 | 0.00 | — | 0.01 | Oct 19, 2021 | snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||
| CVE-2021-3858 | 0.00 | — | 0.01 | Oct 19, 2021 | snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | |||
| CVE-2019-10118 | 0.00 | — | 0.01 | Mar 27, 2019 | Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API. |
- risk 0.57cvss 9.8epss 0.00
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
- risk 0.50cvss 8.8epss 0.00
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user…
- risk 0.42cvss 6.5epss 0.00
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
- risk 0.39cvss 7.1epss 0.00
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a…
- risk 0.38cvss —epss —
### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by…
- risk 0.35cvss 6.4epss 0.00
Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users.
- risk 0.28cvss 5.4epss 0.00
Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The…
- risk 0.24cvss 4.8epss 0.00
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
- risk 0.19cvss —epss —
### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets…
- risk 0.00cvss —epss —
### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an…
- CVE-2025-65621Dec 1, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
- CVE-2025-65622Dec 1, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
- CVE-2025-63601Nov 5, 2025risk 0.00cvss —epss 0.01
Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands.
- CVE-2025-59712Sep 19, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.1.18 allows XSS.
- CVE-2025-59713Sep 19, 2025risk 0.00cvss —epss 0.00
Snipe-IT before 8.1.18 allows unsafe deserialization.
- CVE-2025-47226May 2, 2025risk 0.00cvss —epss 0.01
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
- CVE-2024-51094Nov 12, 2024risk 0.00cvss —epss 0.00
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the…
- CVE-2024-5685Jun 14, 2024risk 0.00cvss —epss 0.00
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
- CVE-2023-5511Oct 11, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
- CVE-2023-5452Oct 6, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.
- CVE-2022-3173Sep 17, 2022risk 0.00cvss —epss 0.01
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.
- CVE-2022-3035Aug 29, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
- CVE-2022-2997Aug 25, 2022risk 0.00cvss —epss 0.01
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.
- CVE-2022-23064May 2, 2022risk 0.00cvss —epss 0.01
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus…
- CVE-2022-1511Apr 28, 2022risk 0.00cvss —epss 0.01
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4.
- CVE-2022-1445Apr 24, 2022risk 0.00cvss —epss 0.01
Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.
- CVE-2022-1380Apr 16, 2022risk 0.00cvss —epss 0.01
Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie.
- CVE-2022-1155Mar 30, 2022risk 0.00cvss —epss 0.01
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.
- CVE-2022-0622Feb 17, 2022risk 0.00cvss —epss 0.01
Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11.
- CVE-2022-0611Feb 15, 2022risk 0.00cvss —epss 0.01
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.
- CVE-2022-0579Feb 14, 2022risk 0.00cvss —epss 0.01
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.
- CVE-2022-0569Feb 12, 2022risk 0.00cvss —epss 0.01
Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.
- CVE-2022-0178Jan 13, 2022risk 0.00cvss —epss 0.01
Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.
- CVE-2022-0179Jan 12, 2022risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Missing Authorization
- CVE-2021-4130Dec 18, 2021risk 0.00cvss —epss 0.00
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-4108Dec 14, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-4089Dec 10, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Access Control
- CVE-2021-4075Dec 6, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Server-Side Request Forgery (SSRF)
- CVE-2021-4018Dec 1, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3961Nov 19, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3931Nov 13, 2021risk 0.00cvss —epss 0.00
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3938Nov 13, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3879Oct 19, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3863Oct 19, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3858Oct 19, 2021risk 0.00cvss —epss 0.01
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2019-10118Mar 27, 2019risk 0.00cvss —epss 0.01
Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.