snipe/snipe-it Security Advisories (57)
-
[HIGH] Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection
PKSA-2tsw-c1yg-xhyc CVE-2026-54329 GHSA-pwpj-p52h-q484
Affected version: <=8.6.1
Reported by:
GitHub -
[LOW] Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL
PKSA-k6ph-vwdz-djyn CVE-2026-55542 GHSA-6mmj-jhqj-6c6q
Affected version: <=8.5.0
Reported by:
GitHub -
[LOW] Snipe-IT has Improper Authorization in File Deletion (IDOR)
PKSA-dfjb-vj14-j26x CVE-2026-55519 GHSA-x667-r589-43m7
Affected version: <=8.4.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation
PKSA-nhdc-dm5c-gkjd CVE-2026-55483 GHSA-hf68-g98v-wp9g
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
PKSA-44m9-kxcv-rmgf CVE-2026-55482 GHSA-33g4-646g-qwmm
Affected version: <=8.4.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT has a 2FA reset privilege bypass
PKSA-xjxm-8vz6-vf8y CVE-2026-50550 GHSA-6x4j-8954-5hxm
Affected version: <8.5.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to User Account Escalation via CSV Import
PKSA-sr4q-gvr6-k14n CVE-2026-49976 GHSA-p68w-rgmg-3c2v
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor`
PKSA-35bw-hh2v-5kbx CVE-2026-49870 GHSA-mr8g-2mj4-pcq2
Affected version: <8.6.0
Reported by:
GitHub -
[HIGH] Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
PKSA-czh5-xdx3-8gjh CVE-2026-48507 GHSA-6f75-x745-xcpr
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
PKSA-7srb-sjc8-3k98 CVE-2026-48493 GHSA-52fw-7fw2-fmv5
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT's selectlist visibility is too permissive
PKSA-bd8t-dph3-gby8 CVE-2026-48492 GHSA-f3c5-6cw8-fg57
Affected version: <8.5.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT has an open redirect vulnerability
PKSA-rnj3-1mvy-45m9 CVE-2026-44833 GHSA-mghp-5cq4-v6mg
Affected version: <8.4.1
Reported by:
GitHub -
[CRITICAL] Snipe-IT has insecure permissions in file uploads
PKSA-p5z5-yvbr-44mr CVE-2026-37709 GHSA-xg82-2hrv-hf64
Affected version: <8.4.1
Reported by:
GitHub -
[HIGH] Snipe-IT has Privilege Escalation via API Permissions Assignment
PKSA-3w8f-xykp-s5ps CVE-2026-44832 GHSA-hq28-crg7-95pr
Affected version: <8.4.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
PKSA-t5t8-ptsk-b8c5 CVE-2026-44831 GHSA-r42m-953q-6vjx
Affected version: <8.4.1
Reported by:
GitHub -
[HIGH] Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
PKSA-b19f-d499-7h75 CVE-2025-15602 GHSA-5448-v74m-7mv7
Affected version: <8.3.7
Reported by:
GitHub -
[MEDIUM] Snipe-IT allows stored XSS via the Locations "Country" field
PKSA-wtqq-tf96-nxmc CVE-2025-65622 GHSA-4g25-wj72-chxg
Affected version: <8.3.4
Reported by:
GitHub -
[MEDIUM] Snipe-IT is vulnerable to stored cross-site scripting
PKSA-czzq-6v8k-876d CVE-2025-65621 GHSA-fww5-m9wc-jcjc
Affected version: <8.3.4
Reported by:
GitHub -
[MEDIUM] Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
PKSA-c9tc-ctjb-ht9h CVE-2025-64027 GHSA-8x9v-8qgj-945x
Affected version: <=8.3.4
Reported by:
GitHub -
[MEDIUM] Snipe-IT allows unsafe deserialization
PKSA-xzw3-k89w-sm61 CVE-2025-59713 GHSA-phwj-fgch-xvrj
Affected version: <8.1.18
Reported by:
GitHub -
[MEDIUM] Snipe-IT allows XSS
PKSA-hsvj-t2cd-6x2t CVE-2025-59712 GHSA-c9wp-pr7f-hfqm
Affected version: <8.1.18
Reported by:
GitHub -
[MEDIUM] Grokability Snipe-IT has incorrect authorization for accessing asset information
PKSA-vcwy-q31n-p6vy CVE-2025-47226 GHSA-h3vp-qwmx-5j25
Affected version: <8.1.0
Reported by:
GitHub -
[HIGH] Cross Site Scripting vulnerability in Snipe-IT
PKSA-b5q2-426v-y91n CVE-2024-51093 GHSA-hw9x-8m75-4vjq
Affected version: <=7.0.13
Reported by:
GitHub -
[HIGH] Snipe-IT remote code execution
PKSA-xdch-tcv5-mhm5 CVE-2024-48987 GHSA-57qh-vmjr-5jxg
Affected version: <7.0.10
Reported by:
GitHub -
[HIGH] Snipe-IT allows users to promote or demote themselves or other users
PKSA-z8qx-662q-rf8y CVE-2024-5685 GHSA-544r-fc65-v832
Affected version: <6.4.2
Reported by:
GitHub -
[HIGH] Cross-Site Request Forgery (CSRF) in snipe/snipe-it
PKSA-vwgv-c27j-814j CVE-2023-5511 GHSA-33vj-r6p6-x4p8
Affected version: <=6.2.2
Reported by:
GitHub -
[MEDIUM] Cross-site Scripting in snipe/snipe-it
PKSA-cht9-1vc6-6bmf CVE-2023-5452 GHSA-rr5c-69c9-gj9f
Affected version: <=6.2.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT vulnerable to Cross Site Scripting for View Assigned Assets
PKSA-44wz-9w6n-4dr3 CVE-2022-44380 GHSA-363q-j92x-7543
Affected version: <6.0.14
Reported by:
GitHub -
[MEDIUM] Snipe-IT allows attackers to check whether a user account exists
PKSA-jrdw-kz9p-4bz7 CVE-2022-44381 GHSA-qqv9-gqh5-7h99
Affected version: <=6.0.14
Reported by:
GitHub -
[MEDIUM] Snipe-IT vulnerable to Improper Authentication
PKSA-7r6m-2yf6-yhdg CVE-2022-3173 GHSA-fhvv-p968-6vvj
Affected version: <6.0.10
Reported by:
GitHub -
[MEDIUM] snipe-it vulnerable to cross-site scripting (XSS)
PKSA-w688-w6zs-zd4h CVE-2022-3035 GHSA-rff2-vqm3-jpv5
Affected version: <6.0.11
Reported by:
GitHub -
[MEDIUM] Insufficient Session Expiration in snipe/snipe-it
PKSA-rfx5-qvwj-94st CVE-2022-2997 GHSA-cmxc-9ghj-jp87
Affected version: <6.0.10
Reported by:
GitHub -
[MEDIUM] Snipe-IT 6.0.2 vulnerable to Cross-site Scripting
PKSA-z58z-h4zh-1zhj CVE-2022-32061 GHSA-xwqx-x38c-cw95
Affected version: <=6.0.2
Reported by:
GitHub -
[MEDIUM] Snipe-IT 6.0.2 vulnerable to Cross-site Scripting via arbitrary file upload in Update Branding Settings
PKSA-8j5v-fmm7-wt5m CVE-2022-32060 GHSA-w82x-xjjr-cjr5
Affected version: <=6.0.2
Reported by:
GitHub -
[MEDIUM] Snipe-IT XSS Vulnerability
PKSA-14vj-xv1g-g219 CVE-2019-10118 GHSA-fx98-8w93-4mxr
Affected version: <4.6.14
Reported by:
GitHub -
[HIGH] snipe-IT vulnerable to host header injection
PKSA-8rfs-wtdf-xfx2 CVE-2022-23064 GHSA-9vh6-qfv6-vcqp
Affected version: >=3.0-alpha,<=5.3.7
Reported by:
GitHub -
[MEDIUM] Improper Access Control in snipe/snipe-it
PKSA-mx1p-71nz-7bbw CVE-2022-1511 GHSA-p2vw-f87c-q597
Affected version: <5.4.4
Reported by:
GitHub -
[MEDIUM] Stored cross-site scripting in Snipe-IT
PKSA-cry2-5f97-1776 CVE-2022-1445 GHSA-hpx4-xjp7-m4vr
Affected version: <5.4.3
Reported by:
GitHub -
[MEDIUM] Cross-site Scripting in snipe-it
PKSA-tysm-wwww-bphm CVE-2022-1380 GHSA-p885-prv3-m4xv
Affected version: <5.4.3
Reported by:
GitHub -
[HIGH] Old sessions not blocked by login enable function in Snipe-IT
PKSA-111v-cp4h-45pv CVE-2022-1155 GHSA-636j-7x7r-gvw2
Affected version: <5.4.2|>=6.0.0-RC-1,<=6.0.0-RC-5
Reported by:
GitHub -
[MEDIUM] Generation of Error Message Containing Sensitive Information in Snipe-IT
PKSA-6qhy-57tc-w8br CVE-2022-0622 GHSA-pwwm-pwx2-2hw7
Affected version: <5.3.11
Reported by:
GitHub -
[HIGH] Improper Privilege Management in Snipe-IT
PKSA-tnk3-ggr7-23qc CVE-2022-0611 GHSA-j57w-3c39-gpp5
Affected version: <5.3.11
Reported by:
GitHub -
[MEDIUM] Exposure of Sensitive Information in snipe/snipe-it
PKSA-b3pc-3vj4-js4s CVE-2022-0569 GHSA-qpv2-jxc7-3638
Affected version: <5.3.10
Reported by:
GitHub -
[MEDIUM] Improper Privilege Management in Snipe-IT
PKSA-b466-9p4g-g85g CVE-2022-0579 GHSA-v6vg-pxvv-g5cq
Affected version: <5.3.9
Reported by:
GitHub -
[MEDIUM] Improper Access Control in snipe-it
PKSA-gzsd-9krn-qpvt CVE-2022-0178 GHSA-xc47-3rch-cv57
Affected version: <=5.3.7
Reported by:
GitHub -
[MEDIUM] Incorrect Default Permissions and Improper Access Control in snipe-it
PKSA-ytnn-96r3-d3kb CVE-2022-0179 GHSA-w3v3-cxq5-9vr4
Affected version: <5.3.7
Reported by:
GitHub -
[HIGH] snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
PKSA-168d-vfgc-8zkn CVE-2021-4130 GHSA-4w23-c97g-fq5v
Affected version: <5.3.6
Reported by:
GitHub -
[MEDIUM] snipe-it is vulnerable to Improper Access Control
PKSA-v6jc-z85y-2xb2 CVE-2021-4089 GHSA-9vwf-54m9-gc4f
Affected version: <5.3.4
Reported by:
GitHub -
[MEDIUM] snipe-it is vulnerable to Cross-site Scripting
PKSA-xn61-mcnh-2z6t CVE-2021-4108 GHSA-rxch-gp62-574w
Affected version: <5.3.5
Reported by:
GitHub -
[HIGH] Server-Side Request Forgery in snipe/snipe-it
PKSA-mycg-3z9s-m171 CVE-2021-4075 GHSA-553q-hpvp-q8pc
Affected version: <=5.3.3
Reported by:
GitHub -
[MEDIUM] snipe-it is vulnerable to Cross-site Scripting
PKSA-j39k-svpb-czn5 CVE-2021-4018 GHSA-5fh3-25xr-g85h
Affected version: <5.3.3
Reported by:
GitHub -
[HIGH] Cross-site Scripting in snipe/snipe-it
PKSA-v67w-nqct-qm6c CVE-2021-3961 GHSA-c65v-p733-9796
Affected version: <5.3.2
Reported by:
GitHub -
[LOW] snipe-it is vulnerable to Cross-site Scripting
PKSA-f953-tv8q-pmys CVE-2021-3938 GHSA-2cqg-q7jm-j35c
Affected version: <=5.3.1
Reported by:
GitHub -
[MEDIUM] snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
PKSA-xvn7-8ccy-j2pj CVE-2021-3931 GHSA-533p-cp2g-99wp
Affected version: <=5.3.1
Reported by:
GitHub -
[MEDIUM] Cross-site Scripting in snipe-it
PKSA-k1nv-3hks-9dm6 CVE-2021-3863 GHSA-5rg2-6qr5-2xp8
Affected version: <5.3.0
Reported by:
GitHub -
[MEDIUM] Cross-Site Request Forgery in snipe-it
PKSA-v52w-gy13-9kjc CVE-2021-3858 GHSA-g92x-8m54-p89v
Affected version: <5.3.0
Reported by:
GitHub -
[MEDIUM] Cross-site Scripting in snipe-it
PKSA-4ht1-zxj3-7f11 CVE-2021-3879 GHSA-9g3v-j3cr-6fc6
Affected version: <5.3.0
Reported by:
GitHub