Every CVE whose affected-product data names Snipeitapp Snipe-it, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (51)
CVE-2025-63601 — CVSS 9.9 (critical): Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious…
CVE-2026-37709 — CVSS 9.8 (critical): Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote…
CVE-2026-44832 — CVSS 8.8 (high): Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate…
CVE-2022-23064 — CVSS 8.8 (high): In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset…
CVE-2025-15602 — CVSS 8.8 (high): Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against…
CVE-2024-51093 — CVSS 8.7 (high): Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing…
CVE-2024-51094 — CVSS 8.0 (high): An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into…
CVE-2024-5685 — CVSS 7.6 (high): Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's…
CVE-2022-1155 — CVSS 7.4 (high): Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.
CVE-2026-48507 — CVSS 7.1 (high): Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the…
CVE-2024-48987 — CVSS 6.6 (medium): Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is…
CVE-2026-38533 — CVSS 6.5 (medium): An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the…
CVE-2022-0178 — CVSS 6.3 (medium): Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8.
CVE-2019-10118 — CVSS 6.1 (medium): Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.
CVE-2021-3863 — CVSS 6.1 (medium): snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4108 — CVSS 6.1 (medium): snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-64027 — CVSS 6.1 (medium): Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV…
CVE-2026-44833 — CVSS 5.9 (medium): Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect…
CVE-2026-48493 — CVSS 5.5 (medium): Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to…
CVE-2022-1445 — CVSS 5.4 (medium): Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The…
CVE-2022-1380 — CVSS 5.4 (medium): Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is…
CVE-2021-3961 — CVSS 5.4 (medium): snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3938 — CVSS 5.4 (medium): snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-4018 — CVSS 5.4 (medium): snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-3879 — CVSS 5.4 (medium): snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-65621 — CVSS 5.4 (medium): Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an…
CVE-2025-65622 — CVSS 5.4 (medium): Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject…
CVE-2022-44381 — CVSS 5.3 (medium): Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.
CVE-2022-32061 — CVSS 4.8 (medium): An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to…
CVE-2026-44831 — CVSS 4.8 (medium): Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes…
CVE-2022-32060 — CVSS 4.8 (medium): An arbitrary file upload vulnerability in the Update Branding Settings component of Snipe-IT v6.0.2 allows attackers to execute arbitrary…