snipe/snipe-it Security Advisories for v8.4.1 (10)
-
[HIGH] Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection
PKSA-2tsw-c1yg-xhyc CVE-2026-54329 GHSA-pwpj-p52h-q484
Affected version: <=8.6.1
Reported by:
GitHub -
[LOW] Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL
PKSA-k6ph-vwdz-djyn CVE-2026-55542 GHSA-6mmj-jhqj-6c6q
Affected version: <=8.5.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation
PKSA-nhdc-dm5c-gkjd CVE-2026-55483 GHSA-hf68-g98v-wp9g
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
PKSA-44m9-kxcv-rmgf CVE-2026-55482 GHSA-33g4-646g-qwmm
Affected version: <=8.4.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT has a 2FA reset privilege bypass
PKSA-xjxm-8vz6-vf8y CVE-2026-50550 GHSA-6x4j-8954-5hxm
Affected version: <8.5.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to User Account Escalation via CSV Import
PKSA-sr4q-gvr6-k14n CVE-2026-49976 GHSA-p68w-rgmg-3c2v
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor`
PKSA-35bw-hh2v-5kbx CVE-2026-49870 GHSA-mr8g-2mj4-pcq2
Affected version: <8.6.0
Reported by:
GitHub -
[HIGH] Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
PKSA-czh5-xdx3-8gjh CVE-2026-48507 GHSA-6f75-x745-xcpr
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
PKSA-7srb-sjc8-3k98 CVE-2026-48493 GHSA-52fw-7fw2-fmv5
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT's selectlist visibility is too permissive
PKSA-bd8t-dph3-gby8 CVE-2026-48492 GHSA-f3c5-6cw8-fg57
Affected version: <8.5.1
Reported by:
GitHub