Snipeitapp Snipe-It vulnerabilities
47 known vulnerabilities affecting snipeitapp/snipe-it.
Total CVEs
47
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH15MEDIUM29LOW1
Vulnerabilities
Page 2 of 3
CVE-2021-4130P4HIGHCVSS 8.8fixed in 5.3.62021-12-18
CVE-2021-4130 [HIGH] CWE-352 CVE-2021-4130: snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
nvd
CVE-2022-2997P4HIGHCVSS 8.0fixed in 6.0.102022-08-25
CVE-2022-2997 [HIGH] CWE-384 CVE-2022-2997: Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.
nvd
CVE-2026-48493P4MEDIUMCVSS 5.5fixed in 8.6.02026-06-23
CVE-2026-48493 [MEDIUM] CWE-863 CVE-2026-48493: Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only user
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. The issue is patched in version 8.6.0.
nvd
CVE-2026-44833P4HIGHCVSS 7.1fixed in 8.4.12026-05-26
CVE-2026-44833 [HIGH] CWE-601 CVE-2026-44833: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.
nvd
CVE-2022-0178P4MEDIUMCVSS 5.4fixed in 5.3.82022-01-13
CVE-2022-0178 [MEDIUM] CWE-862 CVE-2022-0178: Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before
Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.
nvd
CVE-2022-44381P4MEDIUMCVSS 5.3≤ 6.0.142022-12-25
CVE-2022-44381 [MEDIUM] CWE-203 CVE-2022-44381: Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response
Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.
nvd
CVE-2025-65622P4MEDIUMCVSS 5.4fixed in 8.3.42025-12-01
CVE-2025-65622 [MEDIUM] CWE-79 CVE-2025-65622: Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
nvd
CVE-2025-65621P4MEDIUMCVSS 5.4fixed in 8.3.42025-12-01
CVE-2025-65621 [MEDIUM] CWE-79 CVE-2025-65621: Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject Java
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
nvd
CVE-2025-64027P4MEDIUMCVSS 6.1v8.3.42025-11-20
CVE-2025-64027 [MEDIUM] CWE-79 CVE-2025-64027: Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the C
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary H
nvd
CVE-2019-10118P4MEDIUMCVSS 6.1fixed in 4.6.142019-03-27
CVE-2019-10118 [MEDIUM] CWE-79 CVE-2019-10118: Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the A
Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.
nvd
CVE-2022-1380P4MEDIUMCVSS 5.4fixed in 5.4.32022-04-16
CVE-2022-1380 [MEDIUM] CWE-79 CVE-2022-1380: Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it
Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie.
nvd
CVE-2022-1445P4MEDIUMCVSS 5.4fixed in 5.4.32022-04-24
CVE-2022-1445 [MEDIUM] CWE-79 CVE-2022-1445: Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe
Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.
nvd
CVE-2026-44831P4MEDIUMCVSS 5.4fixed in 8.4.12026-05-26
CVE-2026-44831 [MEDIUM] CWE-79 CVE-2026-44831: Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
nvd
CVE-2022-32060P4MEDIUMCVSS 4.8v6.0.22022-07-07
CVE-2022-32060 [MEDIUM] CWE-79 CVE-2022-32060: An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2
An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
nvd
CVE-2022-32061P4MEDIUMCVSS 4.8v6.0.22022-07-07
CVE-2022-32061 [MEDIUM] CWE-79 CVE-2022-32061: An arbitrary file upload vulnerability in the Select User function under the People Menu component o
An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
nvd
CVE-2021-4108P4MEDIUMCVSS 6.1fixed in 5.3.52021-12-14
CVE-2021-4108 [MEDIUM] CWE-79 CVE-2021-4108: snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nvd
CVE-2021-3863P4MEDIUMCVSS 6.1fixed in 5.3.02021-10-19
CVE-2021-3863 [MEDIUM] CWE-79 CVE-2021-3863: snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nvd
CVE-2021-3879P4MEDIUMCVSS 5.4fixed in 5.3.02021-10-19
CVE-2021-3879 [MEDIUM] CWE-79 CVE-2021-3879: snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nvd
CVE-2021-3961P4MEDIUMCVSS 5.4fixed in 5.3.22021-11-19
CVE-2021-3961 [MEDIUM] CWE-79 CVE-2021-3961: snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nvd
CVE-2021-4018P4MEDIUMCVSS 5.4fixed in 5.3.32021-12-01
CVE-2021-4018 [MEDIUM] CWE-79 CVE-2021-4018: snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nvd