Snipeitapp: >> Snipe-It Security Vulnerabilities
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-01
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-01
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. NOTE: this is disputed by the Supplier because the report only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-20
Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system commands.
CVSS Score
9.9
EPSS Score
0.004
Published
2025-11-05
Snipe-IT before 8.1.18 allows unsafe deserialization.
CVSS Score
6.8
EPSS Score
0.0
Published
2025-09-19
Snipe-IT before 8.1.18 allows XSS.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-09-19
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
CVSS Score
5.0
EPSS Score
0.004
Published
2025-05-02
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. This can lead to privilege escalation when the payload is executed, granting the attacker super admin permissions within the Snipe-IT system.
CVSS Score
8.7
EPSS Score
0.002
Published
2024-11-12
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be executed, allowing the attacker to exfiltrate internal system data from the CSV file to a remote server.
CVSS Score
8.0
EPSS Score
0.004
Published
2024-11-12
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.
CVSS Score
6.6
EPSS Score
0.02
Published
2024-10-11
Page 1