Lucene search
K

24 matches found

NVD
NVD
added yesterday4 views

CVE-2026-55479

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses but not unassign them to directly access the old checkin...

5.3CVSS
Exploits0References3
CVE
CVE
added yesterday3 views

CVE-2026-55469

Snipe-IT prior to 8.6.2 is affected. An authenticated user with import and assets.update permissions can inject a path traversal string into an asset image field via CSV import, which can trigger image deletion and lead to deletion of arbitrary files accessible to the server process. The issue is...

6.5CVSS6.2AI score
Exploits0References3
CVE
CVE
added yesterday3 views

CVE-2026-55479

Snipe-IT before 8.6.2 contains a logic flaw in the legacy single-seat license checkin flow: the action is authorized with checkout permission instead of checkin permission, allowing a user who can assign licenses (but not unassign them) to access the old checkin endpoint and reclaim a license sea...

5.3CVSS6.1AI score
Exploits0References3
NVD
NVD
added yesterday7 views

CVE-2026-54329

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...

8.5CVSS
Exploits0References5
CVE
CVE
added yesterday5 views

CVE-2026-55464

Snipe-IT (IT asset/license management) is affected by CVE-2026-55464 prior to version 8.6.2. The issue arises from CommonMark escaping raw HTML but not sanitizing javascript: URIs in Markdown hyperlinks within a markdown-textarea custom field. A user with assets.edit permission can insert a malic...

5.4CVSS6.2AI score
Exploits0References3Affected Software1
CVE
CVE
added yesterday13 views

CVE-2026-54329

Summary: CVE-2026-54329 affects Snipe-IT before 8.6.2, where the Accessories API can mass-assign the company_id field, enabling a low-privilege user in one company (with FMCS enabled) to create accessory records under another company. Root cause: API create path mass-assigns request parameters di...

8.5CVSS6.1AI score
Exploits0References5Affected Software1
EUVD
EUVD
added yesterday5 views

EUVD-2026-42982

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...

8.5CVSS6.1AI score
Exploits0References5
Snyk
Snyk
added 2026/06/23 11:12 p.m.5 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' through the Accessory model mass assignment process. An attacker can...

8.5CVSS5.8AI score
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/03/24 12:24 a.m.5 views

SUSE CVE-2026-33155

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have...

7.5CVSS5.8AI score0.00452EPSS
Exploits1References4
OSV
OSV
added 2026/03/24 12:0 a.m.2 views

OPENSUSE-SU-2026:10417-1 python311-deepdiff-8.6.2-1.1 on GA media

These are all security issues fixed in the python311-deepdiff-8.6.2-1.1 package on the GA media of openSUSE Tumbleweed...

8.7CVSS5.8AI score0.00452EPSS
Exploits1References1
OSV
OSV
added 2026/03/20 9:17 p.m.10 views

UBUNTU-CVE-2026-33155

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have...

8.7CVSS5.8AI score0.00452EPSS
Exploits1References4
Debian CVE
Debian CVE
added 2026/03/20 8:25 p.m.3 views

CVE-2026-33155

DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have...

8.7CVSS5.4AI score0.00452EPSS
Exploits1
Cvelist
Cvelist
added 2025/12/16 6:15 p.m.36 views

CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

8.3CVSS0.00291EPSS
Exploits0References3
CNNVD
CNNVD
added 2024/08/13 12:0 a.m.6 views

Microsoft Azure CycleCloud 访问控制错误漏洞

Microsoft Azure CycleCloud is a suite of enterprise-friendly tools from Microsoft Corporation USA for orchestrating and managing high-performance computing HPC environments on Azure. An access control error vulnerability exists in Microsoft Azure CycleCloud. An attacker exploiting this...

7.8CVSS6.5AI score0.00514EPSS
Exploits0References2
CNNVD
CNNVD
added 2024/05/15 12:0 a.m.4 views

VITEC AvediaServer 安全漏洞

VITEC AvediaServer is a centralized server from VITEC France. A security vulnerability exists in VITEC AvediaServer version 8.6.2-1, which stems from the presence of an insecure privilege vulnerability that allows remote attackers to escalate privileges via a crafted script...

8.8CVSS7.1AI score0.00522EPSS
Exploits0References3
NVD
NVD
added 2023/09/25 7:15 p.m.32 views

CVE-2023-41867

Unauth. Reflected Cross-Site Scripting XSS vulnerability in AcyMailing Newsletter Team AcyMailing plugin = 8.6.2 versions...

7.1CVSS6.2AI score0.00331EPSS
Exploits0References1
OpenVAS
OpenVAS
added 2023/02/20 12:0 a.m.13 views

Elastic Kibana 7.0.0 < 7.17.9, 8.0.0 < 8.6.2 Open Redirect Vulnerability (ESA-2023-03)

Kibana is prone to an open redirect vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:elastic:kibana"; ifdescription...

6.1CVSS6.3AI score0.00513EPSS
Exploits0References1
Prion
Prion
added 2022/03/01 7:15 p.m.25 views

Sql injection

A improper neutralization of special elements used in an sql command 'sql injection' in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the AP...

6.5CVSS8.8AI score0.00798EPSS
Exploits0References1Affected Software1
Prion
Prion
added 2022/03/01 7:15 p.m.21 views

Command injection

A improper neutralization of special elements used in an os command 'os command injection' in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to...

9CVSS8.9AI score0.01639EPSS
Exploits0References1Affected Software1
Prion
Prion
added 2020/07/13 1:15 a.m.19 views

Authentication flaw

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1...

4CVSS6.3AI score0.01875EPSS
Exploits0References1Affected Software4
Rows per page
Query Builder