cbcvebase.

Snipe Snipe-It vulnerabilities

57 known vulnerabilities affecting snipe/snipe-it.

Total CVEs
57
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH14MEDIUM39LOW3

Vulnerabilities

Page 2 of 3
CVE-2026-48493P4MEDIUM≥ 0, < 8.6.02026-06-23
CVE-2026-48493 [MEDIUM] CWE-863 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment ### Impact A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. ### Patches Patched in https://github.com/grokabilit
ghsa
CVE-2026-44833P4MEDIUM≥ 0, < 8.4.12026-05-08
CVE-2026-44833 [MEDIUM] CWE-601 Snipe-IT has an open redirect vulnerability Snipe-IT has an open redirect vulnerability Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. ### Impact - **Phishing**: Redirect users to fake login pages to steal credentials - **Session Hijacking**: Redirect to attacker site that captures session cookies via JavaScript - **Malware Distribution**: Redirect to
ghsa
CVE-2022-0178P4MEDIUM≥ 0, < 5.3.82022-01-26
CVE-2022-0178 [MEDIUM] CWE-284 Improper Access Control in snipe-it Improper Access Control in snipe-it Users with no system permissions are able to see and create personal access tokens
ghsaosv
CVE-2022-44381P4MEDIUM≥ 0, ≤ 6.0.142022-12-25
CVE-2022-44381 [MEDIUM] CWE-203 Snipe-IT allows attackers to check whether a user account exists Snipe-IT allows attackers to check whether a user account exists Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.
ghsaosv
CVE-2025-65622P4MEDIUM≥ 0, < 8.3.42025-12-02
CVE-2025-65622 [MEDIUM] CWE-79 Snipe-IT allows stored XSS via the Locations "Country" field Snipe-IT allows stored XSS via the Locations "Country" field Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
ghsaosv
CVE-2025-65621P4MEDIUM≥ 0, < 8.3.42025-12-01
CVE-2025-65621 [MEDIUM] CWE-269 Snipe-IT is vulnerable to stored cross-site scripting Snipe-IT is vulnerable to stored cross-site scripting Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
ghsaosv
CVE-2025-64027P4MEDIUM≥ 0, ≤ 8.3.42025-11-20
CVE-2025-64027 [MEDIUM] CWE-79 Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update req
ghsaosv
CVE-2022-32060P4MEDIUM≥ 0, ≤ 6.0.22022-07-08
CVE-2022-32060 [MEDIUM] CWE-79 Snipe-IT 6.0.2 vulnerable to Cross-site Scripting via arbitrary file upload in Update Branding Settings Snipe-IT 6.0.2 vulnerable to Cross-site Scripting via arbitrary file upload in Update Branding Settings An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
ghsaosv
CVE-2019-10118P4MEDIUM≥ 0, < 4.6.142022-05-14
CVE-2019-10118 [MEDIUM] CWE-79 Snipe-IT XSS Vulnerability Snipe-IT XSS Vulnerability Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.
ghsaosv
CVE-2022-1380P4MEDIUM≥ 0, < 5.4.32022-04-17
CVE-2022-1380 [MEDIUM] CWE-79 Cross-site Scripting in snipe-it Cross-site Scripting in snipe-it Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie.
ghsaosv
CVE-2022-1445P4MEDIUM≥ 0, < 5.4.32022-04-25
CVE-2022-1445 [MEDIUM] CWE-79 Stored cross-site scripting in Snipe-IT Stored cross-site scripting in Snipe-IT Snipe-IT prior to version 5.4.3 is vulnerable to stored cross-site scripting because the input to the `checked_out_to` parameter is not escaped. The vulnerability is capable of stealing a user's cookie.
ghsaosv
CVE-2026-44831P4MEDIUM≥ 0, < 8.4.12026-05-08
CVE-2026-44831 [MEDIUM] CWE-79 Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0) Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0) ### Impact Users with component view access could be impacted by an unescaped `notes` column. ### Patches This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater. ### Workarounds None.
ghsa
CVE-2022-32061P4MEDIUM≥ 0, ≤ 6.0.22022-07-08
CVE-2022-32061 [MEDIUM] CWE-79 Snipe-IT 6.0.2 vulnerable to Cross-site Scripting Snipe-IT 6.0.2 vulnerable to Cross-site Scripting An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
ghsaosv
CVE-2021-3879P4MEDIUM≥ 0, < 5.3.02021-10-21
CVE-2021-3879 [MEDIUM] CWE-79 Cross-site Scripting in snipe-it Cross-site Scripting in snipe-it snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
CVE-2021-4108P4MEDIUM≥ 0, < 5.3.52021-12-16
CVE-2021-4108 [MEDIUM] CWE-79 snipe-it is vulnerable to Cross-site Scripting snipe-it is vulnerable to Cross-site Scripting snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
ghsaosv
CVE-2021-3863P4MEDIUM≥ 0, < 5.3.02021-10-21
CVE-2021-3863 [MEDIUM] CWE-79 Cross-site Scripting in snipe-it Cross-site Scripting in snipe-it snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
CVE-2021-3961P4HIGH≥ 0, < 5.3.22021-11-23
CVE-2021-3961 [HIGH] CWE-79 Cross-site Scripting in snipe/snipe-it Cross-site Scripting in snipe/snipe-it snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ghsaosv
CVE-2021-4018P4MEDIUM≥ 0, < 5.3.32021-12-03
CVE-2021-4018 [MEDIUM] CWE-79 snipe-it is vulnerable to Cross-site Scripting snipe-it is vulnerable to Cross-site Scripting snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
ghsaosv
CVE-2021-3938P4LOW≥ 0, < 5.4.02021-11-15
CVE-2021-3938 [LOW] CWE-79 snipe-it is vulnerable to Cross-site Scripting snipe-it is vulnerable to Cross-site Scripting snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
ghsaosv
CVE-2022-44380P4MEDIUM≥ 0, < 6.0.142022-12-25
CVE-2022-44380 [MEDIUM] CWE-79 Snipe-IT vulnerable to Cross Site Scripting for View Assigned Assets Snipe-IT vulnerable to Cross Site Scripting for View Assigned Assets Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.
ghsaosv
Snipe Snipe-It vulnerabilities | cvebase