Snipe Snipe-It vulnerabilities
57 known vulnerabilities affecting snipe/snipe-it.
Total CVEs
57
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH14MEDIUM39LOW3
Vulnerabilities
Page 1 of 3
CVE-2025-15602P2HIGH≥ 0, < 8.3.72026-03-06
CVE-2025-15602 [HIGH] CWE-915 Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious
ghsaosv
CVE-2026-37709P3CRITICAL≥ 0, < 8.4.12026-05-08
CVE-2026-37709 [CRITICAL] CWE-284 Snipe-IT has insecure permissions in file uploads
Snipe-IT has insecure permissions in file uploads
Insecure Permissions vulnerability in grokability snipe-it versions through 8.4.0, fixed after 2026-03-10 commit 676a9958, allow a remote attacker to execute arbitrary code via the `app/Http/Controllers/Api/UploadedFilesController.php` component
### Impact
Users who can view assets, consumables, etc were able to send a POST request to `/api/v1/{object_type}/{id}
ghsa
CVE-2026-44832P3HIGH≥ 0, < 8.4.12026-05-08
CVE-2026-44832 [HIGH] CWE-281 Snipe-IT has Privilege Escalation via API Permissions Assignment
Snipe-IT has Privilege Escalation via API Permissions Assignment
### Impact
An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user
ghsa
CVE-2022-23064P3HIGHCVSS 8.8≥ v3.0-alpha, < unspecified≥ unspecified, ≤ v5.3.72022-05-02
CVE-2022-23064 [HIGH] CWE-74 CVE-2022-23064: In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a spe
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over.
ghsanvdosv
CVE-2023-5452P4MEDIUMPoC≥ 0, < 6.2.22023-10-06
CVE-2023-5452 [MEDIUM] CWE-79 Cross-site Scripting in snipe/snipe-it
Cross-site Scripting in snipe/snipe-it
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.
ghsaosv
CVE-2022-0611P3HIGH≥ 0, < 5.3.112022-02-17
CVE-2022-0611 [HIGH] CWE-269 Improper Privilege Management in Snipe-IT
Improper Privilege Management in Snipe-IT
An unprivileged user of Snipe-IT prior to version 5.3.11 can create maintenance for an asset. Version 5.3.11 contains a patch for this issue.
ghsaosv
CVE-2024-5685P3HIGHCVSS 8.1≥ v4.6.17, ≤ v6.4.12024-06-14
CVE-2024-5685 [HIGH] CWE-862 CVE-2024-5685: Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
ghsanvdosv
CVE-2025-59713P3MEDIUM≥ 0, < 8.1.182025-09-19
CVE-2025-59713 [MEDIUM] CWE-502 Snipe-IT allows unsafe deserialization
Snipe-IT allows unsafe deserialization
Snipe-IT before 8.1.18 allows unsafe deserialization.
ghsaosv
CVE-2024-48987P3HIGH≥ 0, < 7.0.102024-10-11
CVE-2024-48987 [HIGH] CWE-1393 Snipe-IT remote code execution
Snipe-IT remote code execution
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.
ghsaosv
CVE-2024-51093P3HIGH≥ 0, ≤ 7.0.132024-11-12
CVE-2024-51093 [HIGH] CWE-79 Cross Site Scripting vulnerability in Snipe-IT
Cross Site Scripting vulnerability in Snipe-IT
Cross Site Scripting vulnerability in Snipe-IT v.7.0.13 allows a remote attacker to escalate privileges via an unknown part of the file /users/{{user-id}}/#files.
ghsaosv
CVE-2025-47226P4MEDIUMPoC≥ 0, < 8.1.02025-05-02
CVE-2025-47226 [MEDIUM] CWE-425 Grokability Snipe-IT has incorrect authorization for accessing asset information
Grokability Snipe-IT has incorrect authorization for accessing asset information
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
ghsaosv
CVE-2026-48507P3HIGH≥ 0, < 8.6.02026-06-23
CVE-2026-48507 [HIGH] CWE-863 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
### Impact
The vulnerability allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the u
ghsa
CVE-2022-1155P3HIGH≥ 6.0.0-RC-1, < 6.0.0-RC-6≥ 0, < 5.4.22022-03-31
CVE-2022-1155 [HIGH] CWE-613 Old sessions not blocked by login enable function in Snipe-IT
Old sessions not blocked by login enable function in Snipe-IT
Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the
ghsaosv
CVE-2021-4075P3HIGH≥ 0, < 6.0.0-GM2021-12-10
CVE-2021-4075 [HIGH] CWE-918 Server-Side Request Forgery in snipe/snipe-it
Server-Side Request Forgery in snipe/snipe-it
Admin users on the external network can perform blind POST-based SSRF (issue requests on behalf of the server into the internal network) via the Slack Integration. This vulnerability is capable of port-scanning of the internal network, issue POST requests to web servers on the internal network which can be escalated to higher-impact.
ghsaosv
CVE-2023-5511P3HIGH≥ 0, < 6.2.32023-10-11
CVE-2023-5511 [HIGH] CWE-352 Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
ghsaosv
CVE-2022-0579P4MEDIUM≥ 0, < 5.3.92022-02-15
CVE-2022-0579 [MEDIUM] CWE-269 Improper Privilege Management in Snipe-IT
Improper Privilege Management in Snipe-IT
Snipe-IT prior to 5.3.9 is vulnerable to improper privilege management. A user who does not have access to the supplier module may view supplier content.
ghsaosv
CVE-2022-1511P4MEDIUM≥ 0, < 5.4.42022-04-29
CVE-2022-1511 [MEDIUM] CWE-862 Improper Access Control in snipe/snipe-it
Improper Access Control in snipe/snipe-it
Snipe-IT prior to 5.4.4 is vulnerable to Missing Authorization.
ghsaosv
CVE-2021-3858P4MEDIUM≥ 0, < 5.3.02021-10-21
CVE-2021-3858 [MEDIUM] CWE-352 Cross-Site Request Forgery in snipe-it
Cross-Site Request Forgery in snipe-it
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF).
ghsaosv
CVE-2022-2997P4MEDIUM≥ 0, < 6.0.102022-08-26
CVE-2022-2997 [MEDIUM] CWE-384 Insufficient Session Expiration in snipe/snipe-it
Insufficient Session Expiration in snipe/snipe-it
Session Fixation in GitHub repository snipe/snipe-it prior to version 6.0.10. The session is not invalidated after a password change.
ghsaosv
CVE-2021-4130P4HIGH≥ 0, < 5.3.62022-01-05
CVE-2021-4130 [HIGH] CWE-352 snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
ghsaosv
1 / 3Next →