cbcvebase.

Snipe Snipe-It vulnerabilities

57 known vulnerabilities affecting snipe/snipe-it.

Total CVEs
57
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH14MEDIUM39LOW3

Vulnerabilities

Page 3 of 3
CVE-2022-0622P4MEDIUM≥ 0, < 5.3.112022-02-18
CVE-2022-0622 [MEDIUM] CWE-209 Generation of Error Message Containing Sensitive Information in Snipe-IT Generation of Error Message Containing Sensitive Information in Snipe-IT Snipe-IT prior to version 5.3.11 is vulnerable to Generation of Error Message Containing Sensitive Information.
ghsaosv
CVE-2022-3173P4MEDIUM≥ 0, < 6.0.102022-09-18
CVE-2022-3173 [MEDIUM] CWE-287 Snipe-IT vulnerable to Improper Authentication Snipe-IT vulnerable to Improper Authentication Snipe-IT prior to 6.0.10 is vulnerable to Improper Authentication. A user without the `View and Modify License Files` permission may access files uploaded to licenses as long as they have the `View` permission for licenses.
ghsaosv
CVE-2022-3035P4MEDIUM≥ 0, < 6.0.112022-08-30
CVE-2022-3035 [MEDIUM] CWE-79 snipe-it vulnerable to cross-site scripting (XSS) snipe-it vulnerable to cross-site scripting (XSS) Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
ghsaosv
CVE-2022-0569P4MEDIUM≥ 0, < 5.3.102022-02-15
CVE-2022-0569 [MEDIUM] CWE-200 Exposure of Sensitive Information in snipe/snipe-it Exposure of Sensitive Information in snipe/snipe-it Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.10.
ghsaosv
CVE-2021-3931P4MEDIUM≥ 0, ≤ 5.3.12021-11-15
CVE-2021-3931 [MEDIUM] CWE-352 snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) snipe-it is vulnerable to Cross-Site Request Forgery (CSRF).
ghsaosv
CVE-2021-4089MEDIUM≥ 0, < 5.3.42021-12-16
CVE-2021-4089 [MEDIUM] CWE-284 snipe-it is vulnerable to Improper Access Control snipe-it is vulnerable to Improper Access Control snipe-it prior to version 5.3.4 is vulnerable to Improper Access Control. Regular users with `DENY` set to all models permissions can still view model information via the /models/{id}/clone endpoint due to no authorize('view') permission being set.
ghsaosv
CVE-2022-0179MEDIUM≥ 0, < 5.3.72022-01-21
CVE-2022-0179 [MEDIUM] CWE-276 Incorrect Default Permissions and Improper Access Control in snipe-it Incorrect Default Permissions and Improper Access Control in snipe-it snipe-it is vulnerable to Improper Access Control/Incorrect Default Permissions.
ghsaosv
CVE-2025-59712MEDIUM≥ 0, < 8.1.182025-09-19
CVE-2025-59712 [MEDIUM] CWE-79 Snipe-IT allows XSS Snipe-IT allows XSS Snipe-IT before 8.1.18 allows XSS.
ghsaosv
CVE-2026-54329HIGH≥ 0, < 8.6.22026-06-23
CVE-2026-54329 [HIGH] CWE-74 Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection ### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by supplying a foreign company_id value in the API request body. The issue oc
ghsa
CVE-2026-49976MEDIUM≥ 0, < 8.6.02026-06-23
CVE-2026-49976 [MEDIUM] CWE-862 Snipe-IT Vulnerable to User Account Escalation via CSV Import Snipe-IT Vulnerable to User Account Escalation via CSV Import ### Impact The CSV user import in update mode bypasses user-edit authorization. A user with only the `import` permission can overwrite any non-admin user's email by uploading a CSV, then trigger a password reset to take over the account. `UserImporter.php` checks the `canEditAuthFields` gate and tries to strip auth fields from the model: `
ghsa
CVE-2026-49870MEDIUM≥ 0, < 8.6.02026-06-23
CVE-2026-49870 [MEDIUM] CWE-770 Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor` Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor` ### Impact `POST /two-factor` had no rate limiting, lockout, or attempt counter. An attacker with valid credentials can submit unlimited TOTP guesses. The TOTP implementation accepts the current code plus one step on either side (`config/google2fa.php window=1`), so at any instant 3 of 1,000,00
ghsa
CVE-2026-48492MEDIUM≥ 0, < 8.5.12026-06-23
CVE-2026-48492 [MEDIUM] CWE-862 Snipe-IT's selectlist visibility is too permissive Snipe-IT's selectlist visibility is too permissive ### Impact The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user
ghsa
CVE-2026-50550MEDIUM≥ 0, < 8.5.02026-06-23
CVE-2026-50550 [MEDIUM] CWE-862 Snipe-IT has a 2FA reset privilege bypass Snipe-IT has a 2FA reset privilege bypass ### Impact A user who can edit other users could reset a superadmin's 2FA. ### Patches Patched in 8.5.0
ghsa
CVE-2026-55483MEDIUM≥ 0, < 8.6.02026-06-23
CVE-2026-55483 [MEDIUM] CWE-862 Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation ### Impact The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new u
ghsa
CVE-2026-55482MEDIUM≥ 0, < 8.4.22026-06-23
CVE-2026-55482 [MEDIUM] CWE-639 Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update ### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation. ### Patches Patche
ghsa
CVE-2026-55519LOW≥ 0, < 8.4.12026-06-23
CVE-2026-55519 [LOW] CWE-285 Snipe-IT has Improper Authorization in File Deletion (IDOR) Snipe-IT has Improper Authorization in File Deletion (IDOR) ### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability caused by a class-l
ghsa
CVE-2026-55542LOW≥ 0, < 8.5.12026-06-23
CVE-2026-55542 [LOW] CWE-862 Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL ### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. ## Key evide
ghsa
Snipe Snipe-It vulnerabilities | cvebase