Lucene search
K

779 matches found

github
github
added 2026/06/23 11:12 p.m.11 views

Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection

Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support FMCS is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by supplying a foreign companyi...

8.5CVSS5.8AI score0.00389EPSS
Exploits0References3Affected Software1
euvd
euvd
added 2026/06/23 10:24 p.m.13 views

EUVD-2026-35140

Snipe-IT: Bulk editing users allowed ldapimport and activatedin bulk editing users...

7.1CVSS5.8AI score0.00194EPSS
Exploits0References3
github
github
added 2026/06/23 10:12 p.m.10 views

Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

Impact A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. Patches Patched in...

5.5CVSS5.8AI score0.00182EPSS
Exploits0References3Affected Software1
snyk
snyk
added 2026/06/23 10:11 p.m.6 views

Missing Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization in the selectlist API endpoint due to missing authorization checks. An attacker can enumerate all active user accounts, harvest usernames, collect...

7.1CVSS5.8AI score0.00385EPSS
Exploits0References2
euvd
euvd
added 2026/06/23 10:11 p.m.9 views

EUVD-2026-38635

Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...

5.5CVSS5.8AI score0.00182EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/23 10:11 p.m.30 views

CVE-2026-48493 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...

5.5CVSS0.00182EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/23 10:11 p.m.6 views

CVE-2026-48493

Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...

5.5CVSS5.8AI score0.00182EPSS
Exploits0References3Affected Software1
cve
cve
added 2026/06/23 10:11 p.m.18 views

CVE-2026-48493

Snipe-IT (IT asset/license management) is affected by CVE-2026-48493 through a privilege-escalation flaw in versions prior to 8.6.0. A user with only users.edit can PATCH /api/v1/users/{their_own_id} to grant themselves any permission except admin/superuser (e.g., assets.view, assets.create, repo...

5.5CVSS5.8AI score0.00182EPSS
Exploits0References2Affected Software1
ptsecurity
ptsecurity
added 2026/06/23 12:0 a.m.7 views

PT-2026-51646

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.1 Description In S3-backed deployments, the system fails to perform authorization checks before generating temporary URLs for signature image retrieval. Authenticated users who possess a signature filename can...

5.3CVSS5.9AI score0.00281EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/23 12:0 a.m.9 views

PT-2026-51616

Name of the Vulnerable Software and Affected Versions Snipe-IT affected versions not specified Description An improper access control issue exists in the 'GET /api/v1/object/selectlist' API endpoint due to a missing authorization check. Any authenticated user, regardless of their assigned...

7.1CVSS6AI score0.00385EPSS
Exploits0References10
ptsecurity
ptsecurity
added 2026/06/23 12:0 a.m.10 views

PT-2026-51636

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.2 Description A cross-tenant data injection issue exists in the Accessories API when Full Multiple Companies Support is enabled. A low-privileged authenticated user can create accessory records belonging to a...

8.5CVSS6.1AI score0.00389EPSS
Exploits0References12
redhatcve
redhatcve
added 2026/06/09 8:59 p.m.13 views

CVE-2026-48507

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...

7.1CVSS5.5AI score0.00194EPSS
Exploits0References1
nvd
nvd
added 2026/06/08 5:16 p.m.18 views

CVE-2026-48507

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...

7.1CVSS0.00194EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/08 3:41 p.m.8 views

CVE-2026-48507

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...

7.1CVSS5.5AI score0.00194EPSS
Exploits0References3Affected Software1
vulnrichment
vulnrichment
added 2026/06/08 3:41 p.m.12 views

CVE-2026-48507 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...

7.1CVSS5.5AI score0.00194EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/08 3:41 p.m.47 views

CVE-2026-48507 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...

7.1CVSS0.00194EPSS
Exploits0References2
cve
cve
added 2026/06/08 3:41 p.m.29 views

CVE-2026-48507

Snipe-IT (IT asset/license management system) has a vulnerability affecting versions before 8.6.0. A non-admin user with only the granular users.edit permission can lock out admins by editing the activated flag (login eligibility) and the ldap_import flag (password reset requests). The issue is f...

7.1CVSS5.5AI score0.00194EPSS
Exploits0References2Affected Software1
ptsecurity
ptsecurity
added 2026/06/08 12:0 a.m.16 views

PT-2026-47386

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.0 Description An issue in this IT asset and license management system allows a non-admin user with the users.edit permission to lock all administrators out of the instance. This is achieved by modifying the...

7.1CVSS5.5AI score0.00194EPSS
Exploits0References8
cnnvd
cnnvd
added 2026/06/08 12:0 a.m.15 views

Snipe-IT 安全漏洞

Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Versions of Snipe-IT prior to 8.6.0 contained security vulnerabilities. These vulnerabilities stemmed from the ability for non-administrator users to have the "users.edit" permission, allowing them to...

7.1CVSS5.4AI score0.00194EPSS
Exploits0References2
redhatcve
redhatcve
added 2026/06/05 7:45 p.m.10 views

CVE-2026-37709

Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component...

9.8CVSS6AI score0.00475EPSS
Exploits0References1
Rows per page
Query Builder