Search for packages
| purl | pkg:composer/snipe/snipe-it@2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-16y9-smp1-nfaa
Aliases: CVE-2023-5511 GHSA-33vj-r6p6-x4p8 |
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3. |
Affected by 14 other vulnerabilities. |
|
VCID-1d8d-19xp-9qdz
Aliases: CVE-2025-15602 GHSA-5448-v74m-7mv7 |
Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance. |
Affected by 4 other vulnerabilities. |
|
VCID-1dda-mx1c-efa7
Aliases: CVE-2021-4018 GHSA-5fh3-25xr-g85h |
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 36 other vulnerabilities. |
|
VCID-21zs-gaq3-77a4
Aliases: CVE-2022-1155 GHSA-636j-7x7r-gvw2 |
Business Logic Error Old sessions are not blocked by the login enable function in GitHub repository snipe/snipe-it prior to 5.3.10. |
Affected by 26 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-2akh-m243-mufc
Aliases: CVE-2021-4075 GHSA-553q-hpvp-q8pc |
snipe-it is vulnerable to Server-Side Request Forgery (SSRF) |
Affected by 0 other vulnerabilities. |
|
VCID-3vbe-y1my-qqgj
Aliases: CVE-2021-3858 GHSA-g92x-8m54-p89v |
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) |
Affected by 40 other vulnerabilities. |
|
VCID-3xtm-ufqd-zfe4
Aliases: CVE-2022-1445 GHSA-hpx4-xjp7-m4vr |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie. |
Affected by 22 other vulnerabilities. |
|
VCID-5cbq-47qe-gya8
Aliases: CVE-2024-51093 GHSA-hw9x-8m75-4vjq |
Cross Site Scripting vulnerability in Snipe-IT v.7.0.13 allows a remote attacker to escalate privileges via an unknown part of the file /users/{{user-id}}/#files. | There are no reported fixed by versions. |
|
VCID-5wud-dpsa-myds
Aliases: CVE-2019-10118 GHSA-fx98-8w93-4mxr |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API. |
Affected by 43 other vulnerabilities. |
|
VCID-5yd4-b352-mkbn
Aliases: CVE-2021-4130 GHSA-4w23-c97g-fq5v |
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) |
Affected by 32 other vulnerabilities. |
|
VCID-6qb4-an9b-aufh
Aliases: CVE-2026-44833 GHSA-mghp-5cq4-v6mg |
Snipe-IT has an open redirect vulnerability Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. ### Impact - **Phishing**: Redirect users to fake login pages to steal credentials - **Session Hijacking**: Redirect to attacker site that captures session cookies via JavaScript - **Malware Distribution**: Redirect to sites hosting malware or drive-by downloads - **Reputation Damage**: Users lose trust when redirected to malicious sites from legitimate application - **Social Engineering**: Use trusted Snipe-IT domain to increase phishing success rate When the user clicks "Save", the application: 1. Processes the form 2. Checks `redirect_option` (if set to 'back') 3. Calls `Helper::getRedirectOption()` 4. Retrieves `back_url` from session: `https://evil.com/phishing?target=snipeit` 5. Executes `redirect()->to($backUrl)` 6. User is redirected to attacker's site This would still require session poisoning, so the actual practical threat here is minimal. ### Patches Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1. ### Workarounds None. ### Resources - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - OWASP: Unvalidated Redirects and Forwards - Laravel Security: Safe Redirects [snipeit_open_redirect_submission.md](https://github.com/user-attachments/files/27414869/snipeit_open_redirect_submission.md) |
Affected by 0 other vulnerabilities. |
|
VCID-6ujw-nug2-zbfr
Aliases: CVE-2021-4108 GHSA-rxch-gp62-574w |
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 33 other vulnerabilities. |
|
VCID-6wam-dqsj-e3dv
Aliases: CVE-2026-44832 GHSA-hq28-crg7-95pr |
Snipe-IT has Privilege Escalation via API Permissions Assignment ### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users. ### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1 ### Workarounds None. |
Affected by 0 other vulnerabilities. |
|
VCID-6xuf-y113-3qh1
Aliases: CVE-2025-59712 GHSA-c9wp-pr7f-hfqm |
Snipe-IT allows XSS Snipe-IT before 8.1.18 allows XSS. |
Affected by 8 other vulnerabilities. |
|
VCID-91vw-khmf-6bbm
Aliases: CVE-2022-3173 GHSA-fhvv-p968-6vvj |
Snipe-IT vulnerable to Improper Authentication Snipe-IT prior to 6.0.10 is vulnerable to Improper Authentication. A user without the `View and Modify License Files` permission may access files uploaded to licenses as long as they have the `View` permission for licenses. |
Affected by 19 other vulnerabilities. |
|
VCID-9uf7-64th-4kb9
Aliases: CVE-2025-59713 GHSA-phwj-fgch-xvrj |
Snipe-IT allows unsafe deserialization Snipe-IT before 8.1.18 allows unsafe deserialization. |
Affected by 8 other vulnerabilities. |
|
VCID-acwy-5nbp-yyb4
Aliases: CVE-2023-5452 GHSA-rr5c-69c9-gj9f |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2. |
Affected by 15 other vulnerabilities. |
|
VCID-ax2b-jba4-4ufg
Aliases: CVE-2021-3879 GHSA-9g3v-j3cr-6fc6 |
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 40 other vulnerabilities. |
|
VCID-bkce-dwzp-yqda
Aliases: CVE-2025-65622 GHSA-4g25-wj72-chxg |
Snipe-IT allows stored XSS via the Locations "Country" field Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. |
Affected by 6 other vulnerabilities. |
|
VCID-bpnp-1u65-zuc5
Aliases: CVE-2025-65621 GHSA-fww5-m9wc-jcjc |
Snipe-IT is vulnerable to stored cross-site scripting Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. |
Affected by 6 other vulnerabilities. |
|
VCID-c5ff-jcx2-8qef
Aliases: CVE-2025-64027 GHSA-8x9v-8qgj-945x |
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. |
Affected by 5 other vulnerabilities. |
|
VCID-cb8w-cdv2-b3a7
Aliases: CVE-2021-3961 GHSA-c65v-p733-9796 |
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 37 other vulnerabilities. |
|
VCID-dx3k-jtmy-audv
Aliases: CVE-2022-0579 GHSA-v6vg-pxvv-g5cq |
Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3.9. |
Affected by 28 other vulnerabilities. |
|
VCID-em3j-ax33-hbdh
Aliases: CVE-2022-0622 GHSA-pwwm-pwx2-2hw7 |
Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11. |
Affected by 0 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-f84w-4gun-ubej
Aliases: CVE-2024-5685 GHSA-544r-fc65-v832 |
Snipe-IT allows users to promote or demote themselves or other users Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1. |
Affected by 13 other vulnerabilities. |
|
VCID-hmvz-j385-uyfy
Aliases: CVE-2022-3035 GHSA-rff2-vqm3-jpv5 |
snipe-it vulnerable to cross-site scripting (XSS) Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11. |
Affected by 18 other vulnerabilities. |
|
VCID-hy2w-kubr-x7as
Aliases: CVE-2026-37709 GHSA-xg82-2hrv-hf64 |
Snipe-IT has insecure permissions in file uploads Insecure Permissions vulnerability in grokability snipe-it versions through 8.4.0, fixed after 2026-03-10 commit 676a9958, allow a remote attacker to execute arbitrary code via the `app/Http/Controllers/Api/UploadedFilesController.php` component ### Impact Users who can view assets, consumables, etc were able to send a POST request to `/api/v1/{object_type}/{id}/files`. The API authorized with "view" instead of write permission and persists the file and audit log entry. ### Patches Fixed after 2026-03-10 commit 676a9958, fix released to 8.4.1. ### Workarounds None. |
Affected by 0 other vulnerabilities. |
|
VCID-j599-m726-cuer
Aliases: CVE-2022-44381 GHSA-qqv9-gqh5-7h99 |
Snipe-IT allows attackers to check whether a user account exists Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request. | There are no reported fixed by versions. |
|
VCID-jvfr-43hu-pqdz
Aliases: CVE-2021-3863 GHSA-5rg2-6qr5-2xp8 |
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 40 other vulnerabilities. |
|
VCID-jz6q-q8r7-tfhb
Aliases: CVE-2022-1380 GHSA-p885-prv3-m4xv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored Cross Site Scripting vulnerability in `Item name` parameter in GitHub repository snipe/snipe-it prior to v5.4.3. Exploiting the vulnerability may allow malicious users to steal victim's Cookie data. |
Affected by 22 other vulnerabilities. |
|
VCID-k283-n11p-nba1
Aliases: CVE-2021-3931 GHSA-533p-cp2g-99wp |
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | There are no reported fixed by versions. |
|
VCID-kp2t-jpsa-abds
Aliases: CVE-2022-0178 GHSA-xc47-3rch-cv57 |
snipe-it is vulnerable to Improper Access Control |
Affected by 29 other vulnerabilities. |
|
VCID-kxug-6d3m-ryhb
Aliases: CVE-2022-1511 GHSA-p2vw-f87c-q597 |
Incorrect Authorization Improper Access Control in GitHub repository snipe/snipe-it prior to 5.4.4. |
Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-nf17-pyfu-4qds
Aliases: CVE-2022-44380 GHSA-363q-j92x-7543 |
Snipe-IT vulnerable to Cross Site Scripting for View Assigned Assets Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets. |
Affected by 17 other vulnerabilities. |
|
VCID-nfxe-yksb-5fdt
Aliases: CVE-2022-0611 GHSA-j57w-3c39-gpp5 |
Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3.11. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-qzjd-vr1m-43be
Aliases: CVE-2021-4089 GHSA-9vwf-54m9-gc4f |
Incorrect Authorization snipe-it is vulnerable to Improper Access Control |
Affected by 34 other vulnerabilities. |
|
VCID-r18v-762e-xqha
Aliases: CVE-2021-3938 GHSA-2cqg-q7jm-j35c |
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 24 other vulnerabilities. |
|
VCID-rq9n-n2fj-xkdy
Aliases: CVE-2024-48987 GHSA-57qh-vmjr-5jxg |
Snipe-IT remote code execution Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. |
Affected by 12 other vulnerabilities. |
|
VCID-xk24-e9d1-4bd8
Aliases: CVE-2026-44831 GHSA-r42m-953q-6vjx |
Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0) ### Impact Users with component view access could be impacted by an unescaped `notes` column. ### Patches This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater. ### Workarounds None. |
Affected by 0 other vulnerabilities. |
|
VCID-xk8e-jc78-rkbt
Aliases: CVE-2022-0179 GHSA-w3v3-cxq5-9vr4 |
Incorrect Default Permissions snipe-it is vulnerable to Improper Access Control |
Affected by 31 other vulnerabilities. |
|
VCID-xkq8-5ufk-3uaf
Aliases: CVE-2025-47226 GHSA-h3vp-qwmx-5j25 |
Grokability Snipe-IT has incorrect authorization for accessing asset information Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information. |
Affected by 10 other vulnerabilities. |
|
VCID-ye2e-dsae-4fc8
Aliases: CVE-2022-0569 GHSA-qpv2-jxc7-3638 |
Exposure of Sensitive Information in snipe/snipe-it Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.10. |
Affected by 26 other vulnerabilities. |
|
VCID-zyzw-hjhm-qbew
Aliases: CVE-2022-2997 GHSA-cmxc-9ghj-jp87 |
Insufficient Session Expiration in snipe/snipe-it Session Fixation in GitHub repository snipe/snipe-it prior to version 6.0.10. The session is not invalidated after a password change. |
Affected by 19 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||