VYPR

Vendor CVEs

Snipeitapp

All CVEs

46 total · sorted by risk
  • CVE-2026-37709CriMay 7, 2026
    risk 0.57cvss 9.8epss 0.00

    Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component

  • CVE-2025-15602HigMar 6, 2026
    risk 0.50cvss 8.8epss 0.00

    Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user…

  • CVE-2026-38533MedApr 14, 2026
    risk 0.42cvss 6.5epss 0.00

    An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.

  • CVE-2026-48507HigJun 8, 2026
    risk 0.39cvss 7.1epss 0.00

    Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a…

  • CVE-2026-54329higJun 23, 2026
    risk 0.38cvss epss

    ### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by…

  • CVE-2019-25264MedFeb 3, 2026
    risk 0.35cvss 6.4epss 0.00

    Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users.

  • CVE-2025-63743MedApr 13, 2026
    risk 0.28cvss 5.4epss 0.00

    Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The…

  • CVE-2026-44831MedMay 26, 2026
    risk 0.24cvss 4.8epss 0.00

    Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.

  • CVE-2026-55482medJun 23, 2026
    risk 0.19cvss epss

    ### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets…

  • CVE-2026-55519lowJun 23, 2026
    risk 0.00cvss epss

    ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an…

  • CVE-2025-65621Dec 1, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.

  • CVE-2025-65622Dec 1, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.

  • CVE-2025-63601Nov 5, 2025
    risk 0.00cvss epss 0.01

    Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands.

  • CVE-2025-59712Sep 19, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.1.18 allows XSS.

  • CVE-2025-59713Sep 19, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.1.18 allows unsafe deserialization.

  • CVE-2025-47226May 2, 2025
    risk 0.00cvss epss 0.01

    Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.

  • CVE-2024-51094Nov 12, 2024
    risk 0.00cvss epss 0.00

    An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the…

  • CVE-2024-5685Jun 14, 2024
    risk 0.00cvss epss 0.00

    Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.

  • CVE-2023-5511Oct 11, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.

  • CVE-2023-5452Oct 6, 2023
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.

  • CVE-2022-3173Sep 17, 2022
    risk 0.00cvss epss 0.01

    Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.

  • CVE-2022-3035Aug 29, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.

  • CVE-2022-2997Aug 25, 2022
    risk 0.00cvss epss 0.01

    Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.

  • CVE-2022-23064May 2, 2022
    risk 0.00cvss epss 0.01

    In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus…

  • CVE-2022-1511Apr 28, 2022
    risk 0.00cvss epss 0.01

    Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4.

  • CVE-2022-1445Apr 24, 2022
    risk 0.00cvss epss 0.01

    Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.

  • CVE-2022-1380Apr 16, 2022
    risk 0.00cvss epss 0.01

    Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie.

  • CVE-2022-1155Mar 30, 2022
    risk 0.00cvss epss 0.01

    Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.

  • CVE-2022-0622Feb 17, 2022
    risk 0.00cvss epss 0.01

    Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11.

  • CVE-2022-0611Feb 15, 2022
    risk 0.00cvss epss 0.01

    Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.

  • CVE-2022-0579Feb 14, 2022
    risk 0.00cvss epss 0.01

    Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.

  • CVE-2022-0569Feb 12, 2022
    risk 0.00cvss epss 0.01

    Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.

  • CVE-2022-0178Jan 13, 2022
    risk 0.00cvss epss 0.01

    Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.

  • CVE-2022-0179Jan 12, 2022
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Missing Authorization

  • CVE-2021-4130Dec 18, 2021
    risk 0.00cvss epss 0.00

    snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-4108Dec 14, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-4089Dec 10, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Improper Access Control

  • CVE-2021-4075Dec 6, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Server-Side Request Forgery (SSRF)

  • CVE-2021-4018Dec 1, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-3961Nov 19, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-3931Nov 13, 2021
    risk 0.00cvss epss 0.00

    snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2021-3938Nov 13, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-3879Oct 19, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-3863Oct 19, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2021-3858Oct 19, 2021
    risk 0.00cvss epss 0.01

    snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2019-10118Mar 27, 2019
    risk 0.00cvss epss 0.01

    Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.