CVE-2026-37709
published 2026-05-07CVE-2026-37709: Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute…
PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.47%
37.5th percentile
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| snipe | snipe-it | >= 0 < 8.4.1 | 8.4.1 |
| snipeitapp | snipe-it | < 8.4.1 | 8.4.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Snipe-IT has insecure permissions in file uploads
ghsa·2026-05-08
CVE-2026-37709 [CRITICAL] CWE-284 Snipe-IT has insecure permissions in file uploads
Snipe-IT has insecure permissions in file uploads
Insecure Permissions vulnerability in grokability snipe-it versions through 8.4.0, fixed after 2026-03-10 commit 676a9958, allow a remote attacker to execute arbitrary code via the `app/Http/Controllers/Api/UploadedFilesController.php` component
### Impact
Users who can view assets, consumables, etc were able to send a POST request to `/api/v1/{object_type}/{id}/files`. The API authorized with "view" instead of write permission and persists the file and audit log entry.
### Patches
Fixed after 2026-03-10 commit 676a9958, fix released to 8.4.1.
### Workarounds
None.
VulDB
Grokability snipe-it up to 8.4.0 UploadedFilesController.php unrestricted upload
vuldb·2026-05-07·CVSS 9.8
CVE-2026-37709 [CRITICAL] Grokability snipe-it up to 8.4.0 UploadedFilesController.php unrestricted upload
A vulnerability identified as critical has been detected in Grokability snipe-it up to 8.4.0. Affected by this issue is some unknown functionality of the file app/Http/Controllers/Api/UploadedFilesController.php. Performing a manipulation results in unrestricted upload.
This vulnerability was named CVE-2026-37709. The attack may be initiated remotely. There is no available exploit.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-07
Published