CVE-2026-44831
published 2026-05-26CVE-2026-44831: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.22%
12.2th percentile
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grokability | snipe-it | < 8.4.1 | 8.4.1 |
| snipe | snipe-it | >= 0 < 8.4.1 | 8.4.1 |
| snipeitapp | snipe-it | < 8.4.1 | 8.4.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grokability Snipe-IT up to 8.4.0 cross site scripting
vuldb·2026-05-26·CVSS 5.4
CVE-2026-44831 [MEDIUM] Grokability Snipe-IT up to 8.4.0 cross site scripting
A vulnerability identified as problematic has been detected in Grokability Snipe-IT up to 8.4.0. The impacted element is an unknown function. The manipulation leads to cross site scripting.
This vulnerability is documented as CVE-2026-44831. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
ghsa·2026-05-08
CVE-2026-44831 [MEDIUM] CWE-79 Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
### Impact
Users with component view access could be impacted by an unescaped `notes` column.
### Patches
This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater.
### Workarounds
None.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published