CVE-2026-44833
published 2026-05-26CVE-2026-44833: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious…
PriorityP429high7.1CVSS 3.1
AVNACLPRNUIRSCCLILAL
EPSS
0.16%
5.9th percentile
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grokability | snipe-it | < 8.4.1 | 8.4.1 |
| snipe | snipe-it | >= 0 < 8.4.1 | 8.4.1 |
| snipeitapp | snipe-it | < 8.4.1 | 8.4.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Grokability Snipe-IT up to 8.4.0 HTTP Referer Header redirect
vuldb·2026-05-26·CVSS 7.1
CVE-2026-44833 [HIGH] Grokability Snipe-IT up to 8.4.0 HTTP Referer Header redirect
A vulnerability was found in Grokability Snipe-IT up to 8.4.0. It has been rated as problematic. Impacted is an unknown function of the component HTTP Referer Header Handler. Performing a manipulation results in open redirect.
This vulnerability is cataloged as CVE-2026-44833. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
Snipe-IT has an open redirect vulnerability
ghsa·2026-05-08
CVE-2026-44833 [MEDIUM] CWE-601 Snipe-IT has an open redirect vulnerability
Snipe-IT has an open redirect vulnerability
Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.
### Impact
- **Phishing**: Redirect users to fake login pages to steal credentials
- **Session Hijacking**: Redirect to attacker site that captures session cookies via JavaScript
- **Malware Distribution**: Redirect to sites hosting malware or drive-by downloads
- **Reputation Damage**: Users lose trust when redirected to malicious sites from legitimate application
- **Social Engineering**: Use trusted Snipe-IT domain to increase phishing success rate
When the user clicks "Save", the application:
1. Processes the form
2. Checks `redirect_option` (if set to 'back')
3. Calls `Helper::getRe
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published