Shodan
Vulnerabilities
Vulnerable Software
Snipeitapp:  >> Snipe-It  >> 8.4.0  Security Vulnerabilities
CVE-2026-48507
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch.
CVSS Score
7.1
EPSS Score
0.002
Published
2026-06-08
CVE-2026-44831
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1.
CVSS Score
4.8
EPSS Score
0.002
Published
2026-05-26
CVE-2026-44832
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1.
CVSS Score
7.1
EPSS Score
0.003
Published
2026-05-26
CVE-2026-44833
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1.
CVSS Score
5.9
EPSS Score
0.002
Published
2026-05-26
CVE-2026-37709
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component
CVSS Score
9.8
EPSS Score
0.005
Published
2026-05-07
CVE-2026-38533
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.
CVSS Score
6.5
EPSS Score
0.003
Published
2026-04-14


Products
Pricing
Contact Us

Shodan ® - All rights reserved