Home/Product/snipeitapp snipe it
Product

snipeitapp snipe it

49 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-44833
< 8.4.1
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to
5.9MEDIUM
 CVE-2026-44832
< 8.4.1
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can esca
8.8HIGH
 CVE-2026-44831
< 8.4.1
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unesca
4.8MEDIUM
 CVE-2026-37709
< 8.4.1
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a
9.8CRITICAL
 CVE-2026-38533
all versions
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with
6.5MEDIUM
 CVE-2025-15602
< 8.3.7
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected
8.8HIGH
 CVE-2025-65622
< 8.3.4
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject
5.4MEDIUM
 CVE-2025-65621
< 8.3.4
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an adm
5.4MEDIUM
 CVE-2025-64027
all versions
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an in
6.1MEDIUM
 CVE-2025-63601
< 8.3.3
Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a mal
9.9CRITICAL
 CVE-2025-59713
< 8.1.18
Snipe-IT before 8.1.18 allows unsafe deserialization.
6.8MEDIUM
 CVE-2025-59712
< 8.1.18
Snipe-IT before 8.1.18 allows XSS.
6.4MEDIUM
 CVE-2025-47226
< 8.1.0
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
5.0MEDIUM
 CVE-2024-51094
all versions
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious pay
8.0HIGH
 CVE-2024-51093
all versions
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing
8.7HIGH
 CVE-2024-48987
< 7.0.10
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. Thi
6.6MEDIUM
 CVE-2024-5685
>= 4.6.17 and < 6.4.2
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the gr
7.6HIGH
 CVE-2023-5511
< 6.2.3
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
8.8HIGH
 CVE-2023-5452
< 6.2.2
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.
5.4MEDIUM
 CVE-2022-44381
<= 6.0.14
Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/rese
5.3MEDIUM
 CVE-2022-44380
< 6.0.14
Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.
5.4MEDIUM
 CVE-2022-3173
< 6.0.10
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.
4.3MEDIUM
 CVE-2022-3035
< 6.0.11
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
4.8MEDIUM
 CVE-2022-2997
< 6.0.10
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.
8.0HIGH
 CVE-2022-32061
all versions
An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attac
4.8MEDIUM
 CVE-2022-32060
all versions
An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute ar
4.8MEDIUM
 CVE-2022-23064
>= 3.0.0 and <= 5.3.7
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in
8.8HIGH
 CVE-2022-1511
< 5.4.4
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4.
6.5MEDIUM
 CVE-2022-1445
< 5.4.3
Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The
5.4MEDIUM
 CVE-2022-1380
< 5.4.3
Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerab
5.4MEDIUM
 CVE-2022-1155
< 5.3.10
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.
7.4HIGH
 CVE-2022-0622
<= 5.3.10
Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11.
5.3MEDIUM
 CVE-2022-0611
< 5.3.11
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.
6.3MEDIUM
 CVE-2022-0579
< 5.3.9
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.
6.5MEDIUM
 CVE-2022-0569
< 5.3.9
Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.
5.3MEDIUM
 CVE-2022-0178
< 5.3.8
Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.
6.3MEDIUM
 CVE-2022-0179
< 5.3.7
snipe-it is vulnerable to Missing Authorization
5.4MEDIUM
 CVE-2021-4130
< 5.3.6
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
8.8HIGH
 CVE-2021-4108
< 5.3.5
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1MEDIUM
 CVE-2021-4089
<= 5.3.3
snipe-it is vulnerable to Improper Access Control
4.3MEDIUM
 CVE-2021-4075
all versions
snipe-it is vulnerable to Server-Side Request Forgery (SSRF)
7.2HIGH
 CVE-2021-4018
< 5.3.3
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5.4MEDIUM
 CVE-2021-3961
< 5.3.2
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5.4MEDIUM
 CVE-2021-3938
<= 5.3.1
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5.4MEDIUM
 CVE-2021-3931
<= 5.3.1
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
4.3MEDIUM
 CVE-2021-3879
< 5.3.0
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5.4MEDIUM
 CVE-2021-3863
< 5.3.0
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1MEDIUM
 CVE-2021-3858
< 5.3.0
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
8.8HIGH
 CVE-2019-10118
< 4.6.14
Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.
6.1MEDIUM
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh