779 matches found
Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection
Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support FMCS is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by supplying a foreign companyi...
EUVD-2026-35140
Snipe-IT: Bulk editing users allowed ldapimport and activatedin bulk editing users...
Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Impact A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. Patches Patched in...
Missing Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization in the selectlist API endpoint due to missing authorization checks. An attacker can enumerate all active user accounts, harvest usernames, collect...
EUVD-2026-38635
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...
CVE-2026-48493 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...
CVE-2026-48493
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...
CVE-2026-48493
Snipe-IT (IT asset/license management) is affected by CVE-2026-48493 through a privilege-escalation flaw in versions prior to 8.6.0. A user with only users.edit can PATCH /api/v1/users/{their_own_id} to grant themselves any permission except admin/superuser (e.g., assets.view, assets.create, repo...
PT-2026-51646
Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.1 Description In S3-backed deployments, the system fails to perform authorization checks before generating temporary URLs for signature image retrieval. Authenticated users who possess a signature filename can...
PT-2026-51616
Name of the Vulnerable Software and Affected Versions Snipe-IT affected versions not specified Description An improper access control issue exists in the 'GET /api/v1/object/selectlist' API endpoint due to a missing authorization check. Any authenticated user, regardless of their assigned...
PT-2026-51636
Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.2 Description A cross-tenant data injection issue exists in the Accessories API when Full Multiple Companies Support is enabled. A low-privileged authenticated user can create accessory records belonging to a...
CVE-2026-48507
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...
CVE-2026-48507
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...
CVE-2026-48507
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...
CVE-2026-48507 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...
CVE-2026-48507 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...
CVE-2026-48507
Snipe-IT (IT asset/license management system) has a vulnerability affecting versions before 8.6.0. A non-admin user with only the granular users.edit permission can lock out admins by editing the activated flag (login eligibility) and the ldap_import flag (password reset requests). The issue is f...
PT-2026-47386
Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.0 Description An issue in this IT asset and license management system allows a non-admin user with the users.edit permission to lock all administrators out of the instance. This is achieved by modifying the...
Snipe-IT 安全漏洞
Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Versions of Snipe-IT prior to 8.6.0 contained security vulnerabilities. These vulnerabilities stemmed from the ability for non-administrator users to have the "users.edit" permission, allowing them to...
CVE-2026-37709
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component...