snipe/snipe-it
Packagist39 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting snipe/snipe-itpage 1 of 1
- CVE-2019-10118MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.6.142019-03-27
vulnerable: 3.2.0 ... v4.6.9 (127 versions)
Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.
- CVE-2021-3858HIGHCVSS 8.8EG 8.8✓ Fixed in 5.3.02021-10-19
vulnerable: 3.2.0 ... v5.2.0 (177 versions)
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3863MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.3.02021-10-19
vulnerable: 3.2.0 ... v5.2.0 (177 versions)
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3879MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.3.02021-10-19
vulnerable: 3.2.0 ... v5.2.0 (177 versions)
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3931MEDIUMCVSS 4.3EG 4.32021-11-13
vulnerable: 3.2.0 ... v5.3.1 (179 versions)
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3938MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.4.02021-11-13
vulnerable: 3.2.0 ... v5.3.9 (188 versions)
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-3961MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.3.22021-11-19
vulnerable: 3.2.0 ... v5.3.1 (179 versions)
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-4018MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.3.32021-12-01
vulnerable: 3.2.0 ... v5.3.2 (180 versions)
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-4075HIGHCVSS 7.2EG 7.2✓ Fixed in 6.0.0-GM2021-12-06
vulnerable: 3.2.0 ... v5.4.4 (193 versions)
snipe-it is vulnerable to Server-Side Request Forgery (SSRF)
- CVE-2021-4089MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.3.42021-12-10
vulnerable: 3.2.0 ... v5.3.3 (181 versions)
snipe-it is vulnerable to Improper Access Control
- CVE-2021-4108MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.3.52021-12-14
vulnerable: 3.2.0 ... v5.3.4 (182 versions)
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE-2021-4130HIGHCVSS 8.8EG 8.8✓ Fixed in 5.3.62021-12-18
vulnerable: 3.2.0 ... v5.3.5 (183 versions)
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2022-0178MEDIUMCVSS 6.3EG 6.3✓ Fixed in 5.3.82022-01-13
vulnerable: 3.2.0 ... v5.3.7 (185 versions)
Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.
- CVE-2022-0179MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.3.72022-01-12
vulnerable: 3.2.0 ... v5.3.6 (184 versions)
snipe-it is vulnerable to Missing Authorization
- CVE-2022-0569MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.3.102022-02-14
vulnerable: 3.2.0 ... v5.3.9 (187 versions)
Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.
- CVE-2022-0579MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.3.92022-02-14
vulnerable: 3.2.0 ... v5.3.8 (186 versions)
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.
- CVE-2022-0611MEDIUMCVSS 6.3EG 6.3✓ Fixed in 5.3.112022-02-16
vulnerable: 3.2.0 ... v5.3.9 (188 versions)
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.
- CVE-2022-0622MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.3.112022-02-17
vulnerable: 3.2.0 ... v5.3.9 (188 versions)
Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11.
- CVE-2022-1155HIGHCVSS 7.4EG 7.4✓ Fixed in 5.4.22022-03-30
vulnerable: 3.2.0 ... v5.4.1 (190 versions)
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.
- CVE-2022-1380MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.4.32022-04-16
vulnerable: 3.2.0 ... v5.4.2 (191 versions)
Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie.
- CVE-2022-1445MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.4.32022-04-24
vulnerable: 3.2.0 ... v5.4.2 (191 versions)
Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.
- CVE-2022-1511MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.4.42022-04-28
vulnerable: 3.2.0 ... v5.4.3 (192 versions)
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4.
- CVE-2022-23064HIGHCVSS 8.8EG 8.8✓ Fixed in 5.4.02022-05-02
vulnerable: 3.2.0 ... v5.3.9 (147 versions)
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to a…
- CVE-2022-2997HIGHCVSS 8.0EG 8.0✓ Fixed in 6.0.102022-08-25
vulnerable: 3.2.0 ... v6.0.9 (211 versions)
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.
- CVE-2022-3035MEDIUMCVSS 4.8EG 4.8✓ Fixed in 6.0.112022-08-29
vulnerable: 3.2.0 ... v6.0.9 (212 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
- CVE-2022-3173MEDIUMCVSS 4.3EG 4.3✓ Fixed in 6.0.102022-09-17
vulnerable: 3.2.0 ... v6.0.9 (211 versions)
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.
- CVE-2022-32060MEDIUMCVSS 4.8EG 4.82022-07-07
vulnerable: 3.2.0 ... v6.0.2 (204 versions)
An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
- CVE-2022-32061MEDIUMCVSS 4.8EG 4.82022-07-07
vulnerable: 3.2.0 ... v6.0.2 (204 versions)
An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
- CVE-2022-44380MEDIUMCVSS 5.4EG 5.4✓ Fixed in 6.0.142022-12-25
vulnerable: 3.2.0 ... v6.0.9 (215 versions)
Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.
- CVE-2022-44381MEDIUMCVSS 5.3EG 5.32022-12-25
vulnerable: 3.2.0 ... v6.0.9 (216 versions)
Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.
- CVE-2023-5452MEDIUMCVSS 5.4EG 5.4✓ Fixed in 6.2.22023-10-06
vulnerable: 3.2.0 ... v6.2.1 (221 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.
- CVE-2023-5511HIGHCVSS 8.8EG 8.8✓ Fixed in 6.2.32023-10-11
vulnerable: 3.2.0 ... v6.2.2 (222 versions)
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
- CVE-2024-48987MEDIUMCVSS 6.6EG 6.6✓ Fixed in 7.0.102024-10-11
vulnerable: 3.2.0 ... v7.0.9 (241 versions)
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.
- CVE-2024-51093HIGHCVSS 8.7EG 8.72024-11-12
vulnerable: 3.2.0 ... v7.0.9 (245 versions)
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. This can lead to privilege escalation when the payload is executed, granting the attacker s…
- CVE-2024-5685HIGHCVSS 7.6EG 7.6✓ Fixed in 6.4.22024-06-14
vulnerable: 3.2.0 ... v6.4.1 (230 versions)
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
- CVE-2025-15602HIGHCVSS 8.8EG 8.8✓ Fixed in 8.3.72026-03-06
vulnerable: 3.2.0 ... v8.3.6 (272 versions)
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify r…
- CVE-2025-47226MEDIUMCVSS 5.0EG 5.0✓ Fixed in 8.1.02025-05-02
vulnerable: 3.2.0 ... v8.0.4 (254 versions)
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
- CVE-2025-59713MEDIUMCVSS 6.8EG 6.8✓ Fixed in 8.1.182025-09-19
vulnerable: 3.2.0 ... v8.1.4 (262 versions)
Snipe-IT before 8.1.18 allows unsafe deserialization.
- CVE-2026-37709CRITICALCVSS 9.8EG 9.8✓ Fixed in 8.4.12026-05-07
vulnerable: 3.2.0 ... v8.4.0 (274 versions)
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php compon…
Check whether snipe/snipe-it is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for snipe/snipe-it CVEs against the assets you own.
Start Free Scan →