Grokability Snipe-It vulnerabilities
5 known vulnerabilities affecting grokability/snipe-it.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-44832P3HIGHCVSS 8.8fixed in 8.4.12026-05-26
CVE-2026-44832 [HIGH] CWE-281 CVE-2026-44832: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permiss
nvd
CVE-2026-48507P3HIGHCVSS 7.1fixed in 8.6.02026-06-08
CVE-2026-48507 [HIGH] CWE-863 CVE-2026-48507: Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not th
nvd
CVE-2026-48493P4MEDIUMCVSS 5.5fixed in 8.6.02026-06-23
CVE-2026-48493 [MEDIUM] CWE-863 CVE-2026-48493: Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only user
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
nvd
CVE-2026-44833P4HIGHCVSS 7.1fixed in 8.4.12026-05-26
CVE-2026-44833 [HIGH] CWE-601 CVE-2026-44833: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.
nvd
CVE-2026-44831P4MEDIUMCVSS 5.4fixed in 8.4.12026-05-26
CVE-2026-44831 [MEDIUM] CWE-79 CVE-2026-44831: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
nvd