snipe/snipe-it Security Advisories for v8.3.6 (16)
-
[HIGH] Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection
PKSA-2tsw-c1yg-xhyc CVE-2026-54329 GHSA-pwpj-p52h-q484
Affected version: <=8.6.1
Reported by:
GitHub -
[LOW] Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL
PKSA-k6ph-vwdz-djyn CVE-2026-55542 GHSA-6mmj-jhqj-6c6q
Affected version: <=8.5.0
Reported by:
GitHub -
[LOW] Snipe-IT has Improper Authorization in File Deletion (IDOR)
PKSA-dfjb-vj14-j26x CVE-2026-55519 GHSA-x667-r589-43m7
Affected version: <=8.4.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation
PKSA-nhdc-dm5c-gkjd CVE-2026-55483 GHSA-hf68-g98v-wp9g
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
PKSA-44m9-kxcv-rmgf CVE-2026-55482 GHSA-33g4-646g-qwmm
Affected version: <=8.4.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT has a 2FA reset privilege bypass
PKSA-xjxm-8vz6-vf8y CVE-2026-50550 GHSA-6x4j-8954-5hxm
Affected version: <8.5.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to User Account Escalation via CSV Import
PKSA-sr4q-gvr6-k14n CVE-2026-49976 GHSA-p68w-rgmg-3c2v
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT's TOTP is Brute-Forceable Due to Missing Rate Limiting on `POST /two-factor`
PKSA-35bw-hh2v-5kbx CVE-2026-49870 GHSA-mr8g-2mj4-pcq2
Affected version: <8.6.0
Reported by:
GitHub -
[HIGH] Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
PKSA-czh5-xdx3-8gjh CVE-2026-48507 GHSA-6f75-x745-xcpr
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
PKSA-7srb-sjc8-3k98 CVE-2026-48493 GHSA-52fw-7fw2-fmv5
Affected version: <8.6.0
Reported by:
GitHub -
[MEDIUM] Snipe-IT's selectlist visibility is too permissive
PKSA-bd8t-dph3-gby8 CVE-2026-48492 GHSA-f3c5-6cw8-fg57
Affected version: <8.5.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT has an open redirect vulnerability
PKSA-rnj3-1mvy-45m9 CVE-2026-44833 GHSA-mghp-5cq4-v6mg
Affected version: <8.4.1
Reported by:
GitHub -
[CRITICAL] Snipe-IT has insecure permissions in file uploads
PKSA-p5z5-yvbr-44mr CVE-2026-37709 GHSA-xg82-2hrv-hf64
Affected version: <8.4.1
Reported by:
GitHub -
[HIGH] Snipe-IT has Privilege Escalation via API Permissions Assignment
PKSA-3w8f-xykp-s5ps CVE-2026-44832 GHSA-hq28-crg7-95pr
Affected version: <8.4.1
Reported by:
GitHub -
[MEDIUM] Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)
PKSA-t5t8-ptsk-b8c5 CVE-2026-44831 GHSA-r42m-953q-6vjx
Affected version: <8.4.1
Reported by:
GitHub -
[HIGH] Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
PKSA-b19f-d499-7h75 CVE-2025-15602 GHSA-5448-v74m-7mv7
Affected version: <8.3.7
Reported by:
GitHub