Security Advisories - snipe/snipe-it

snipe/snipe-it Security Advisories for v6.0.6 (32)

[HIGH] Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection

PKSA-2tsw-c1yg-xhyc CVE-2026-54329 GHSA-pwpj-p52h-q484

Affected version: <=8.6.1

Reported by:
GitHub
[LOW] Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL

PKSA-k6ph-vwdz-djyn CVE-2026-55542 GHSA-6mmj-jhqj-6c6q

Affected version: <=8.5.0

Reported by:
GitHub
[LOW] Snipe-IT has Improper Authorization in File Deletion (IDOR)

PKSA-dfjb-vj14-j26x CVE-2026-55519 GHSA-x667-r589-43m7

Affected version: <=8.4.0

Reported by:
GitHub
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation

PKSA-nhdc-dm5c-gkjd CVE-2026-55483 GHSA-hf68-g98v-wp9g

Affected version: <8.6.0

Reported by:
GitHub
[MEDIUM] Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

PKSA-44m9-kxcv-rmgf CVE-2026-55482 GHSA-33g4-646g-qwmm

Affected version: <=8.4.1

Reported by:
GitHub
[MEDIUM] Snipe-IT has a 2FA reset privilege bypass

PKSA-xjxm-8vz6-vf8y CVE-2026-50550 GHSA-6x4j-8954-5hxm

Affected version: <8.5.0

Reported by:
GitHub
[MEDIUM] Snipe-IT Vulnerable to User Account Escalation via CSV Import

PKSA-sr4q-gvr6-k14n CVE-2026-49976 GHSA-p68w-rgmg-3c2v

Affected version: <8.6.0

Reported by:
GitHub
[MEDIUM] Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor`

PKSA-35bw-hh2v-5kbx CVE-2026-49870 GHSA-mr8g-2mj4-pcq2

Affected version: <8.6.0

Reported by:
GitHub
[HIGH] Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

PKSA-czh5-xdx3-8gjh CVE-2026-48507 GHSA-6f75-x745-xcpr

Affected version: <8.6.0

Reported by:
GitHub
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

PKSA-7srb-sjc8-3k98 CVE-2026-48493 GHSA-52fw-7fw2-fmv5

Affected version: <8.6.0

Reported by:
GitHub
[MEDIUM] Snipe-IT's selectlist visibility is too permissive

PKSA-bd8t-dph3-gby8 CVE-2026-48492 GHSA-f3c5-6cw8-fg57

Affected version: <8.5.1

Reported by:
GitHub
[MEDIUM] Snipe-IT has an open redirect vulnerability

PKSA-rnj3-1mvy-45m9 CVE-2026-44833 GHSA-mghp-5cq4-v6mg

Affected version: <8.4.1

Reported by:
GitHub
[CRITICAL] Snipe-IT has insecure permissions in file uploads

PKSA-p5z5-yvbr-44mr CVE-2026-37709 GHSA-xg82-2hrv-hf64

Affected version: <8.4.1

Reported by:
GitHub
[HIGH] Snipe-IT has Privilege Escalation via API Permissions Assignment

PKSA-3w8f-xykp-s5ps CVE-2026-44832 GHSA-hq28-crg7-95pr

Affected version: <8.4.1

Reported by:
GitHub
[MEDIUM] Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)

PKSA-t5t8-ptsk-b8c5 CVE-2026-44831 GHSA-r42m-953q-6vjx

Affected version: <8.4.1

Reported by:
GitHub
[HIGH] Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment

PKSA-b19f-d499-7h75 CVE-2025-15602 GHSA-5448-v74m-7mv7

Affected version: <8.3.7

Reported by:
GitHub
[MEDIUM] Snipe-IT allows stored XSS via the Locations "Country" field

PKSA-wtqq-tf96-nxmc CVE-2025-65622 GHSA-4g25-wj72-chxg

Affected version: <8.3.4

Reported by:
GitHub
[MEDIUM] Snipe-IT is vulnerable to stored cross-site scripting

PKSA-czzq-6v8k-876d CVE-2025-65621 GHSA-fww5-m9wc-jcjc

Affected version: <8.3.4

Reported by:
GitHub
[MEDIUM] Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

PKSA-c9tc-ctjb-ht9h CVE-2025-64027 GHSA-8x9v-8qgj-945x

Affected version: <=8.3.4

Reported by:
GitHub
[MEDIUM] Snipe-IT allows unsafe deserialization

PKSA-xzw3-k89w-sm61 CVE-2025-59713 GHSA-phwj-fgch-xvrj

Affected version: <8.1.18

Reported by:
GitHub
[MEDIUM] Snipe-IT allows XSS

PKSA-hsvj-t2cd-6x2t CVE-2025-59712 GHSA-c9wp-pr7f-hfqm

Affected version: <8.1.18

Reported by:
GitHub
[MEDIUM] Grokability Snipe-IT has incorrect authorization for accessing asset information

PKSA-vcwy-q31n-p6vy CVE-2025-47226 GHSA-h3vp-qwmx-5j25

Affected version: <8.1.0

Reported by:
GitHub
[HIGH] Cross Site Scripting vulnerability in Snipe-IT

PKSA-b5q2-426v-y91n CVE-2024-51093 GHSA-hw9x-8m75-4vjq

Affected version: <=7.0.13

Reported by:
GitHub
[HIGH] Snipe-IT remote code execution

PKSA-xdch-tcv5-mhm5 CVE-2024-48987 GHSA-57qh-vmjr-5jxg

Affected version: <7.0.10

Reported by:
GitHub
[HIGH] Snipe-IT allows users to promote or demote themselves or other users

PKSA-z8qx-662q-rf8y CVE-2024-5685 GHSA-544r-fc65-v832

Affected version: <6.4.2

Reported by:
GitHub
[HIGH] Cross-Site Request Forgery (CSRF) in snipe/snipe-it

PKSA-vwgv-c27j-814j CVE-2023-5511 GHSA-33vj-r6p6-x4p8

Affected version: <=6.2.2

Reported by:
GitHub
[MEDIUM] Cross-site Scripting in snipe/snipe-it

PKSA-cht9-1vc6-6bmf CVE-2023-5452 GHSA-rr5c-69c9-gj9f

Affected version: <=6.2.1

Reported by:
GitHub
[MEDIUM] Snipe-IT vulnerable to Cross Site Scripting for View Assigned Assets

PKSA-44wz-9w6n-4dr3 CVE-2022-44380 GHSA-363q-j92x-7543

Affected version: <6.0.14

Reported by:
GitHub
[MEDIUM] Snipe-IT allows attackers to check whether a user account exists

PKSA-jrdw-kz9p-4bz7 CVE-2022-44381 GHSA-qqv9-gqh5-7h99

Affected version: <=6.0.14

Reported by:
GitHub
[MEDIUM] Snipe-IT vulnerable to Improper Authentication

PKSA-7r6m-2yf6-yhdg CVE-2022-3173 GHSA-fhvv-p968-6vvj

Affected version: <6.0.10

Reported by:
GitHub
[MEDIUM] snipe-it vulnerable to cross-site scripting (XSS)

PKSA-w688-w6zs-zd4h CVE-2022-3035 GHSA-rff2-vqm3-jpv5

Affected version: <6.0.11

Reported by:
GitHub
[MEDIUM] Insufficient Session Expiration in snipe/snipe-it

PKSA-rfx5-qvwj-94st CVE-2022-2997 GHSA-cmxc-9ghj-jp87

Affected version: <6.0.10

Reported by:
GitHub

snipe/snipe-it Security Advisories for v6.0.6 (32)

[HIGH] Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection

[LOW] Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL

[LOW] Snipe-IT has Improper Authorization in File Deletion (IDOR)

[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation

[MEDIUM] Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

[MEDIUM] Snipe-IT has a 2FA reset privilege bypass

[MEDIUM] Snipe-IT Vulnerable to User Account Escalation via CSV Import

[MEDIUM] Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor`

[HIGH] Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

[MEDIUM] Snipe-IT's selectlist visibility is too permissive

[MEDIUM] Snipe-IT has an open redirect vulnerability

[CRITICAL] Snipe-IT has insecure permissions in file uploads

[HIGH] Snipe-IT has Privilege Escalation via API Permissions Assignment

[MEDIUM] Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)

[HIGH] Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment

[MEDIUM] Snipe-IT allows stored XSS via the Locations "Country" field

[MEDIUM] Snipe-IT is vulnerable to stored cross-site scripting

[MEDIUM] Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

[MEDIUM] Snipe-IT allows unsafe deserialization

[MEDIUM] Snipe-IT allows XSS

[MEDIUM] Grokability Snipe-IT has incorrect authorization for accessing asset information

[HIGH] Cross Site Scripting vulnerability in Snipe-IT

[HIGH] Snipe-IT remote code execution

[HIGH] Snipe-IT allows users to promote or demote themselves or other users

[HIGH] Cross-Site Request Forgery (CSRF) in snipe/snipe-it

[MEDIUM] Cross-site Scripting in snipe/snipe-it

[MEDIUM] Snipe-IT vulnerable to Cross Site Scripting for View Assigned Assets

[MEDIUM] Snipe-IT allows attackers to check whether a user account exists

[MEDIUM] Snipe-IT vulnerable to Improper Authentication

[MEDIUM] snipe-it vulnerable to cross-site scripting (XSS)

[MEDIUM] Insufficient Session Expiration in snipe/snipe-it