Snipe/snipe-it

This hub aggregates every CVE we track for Snipe/snipe-it, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Snipe/snipe-it.

• CVE-2025-15602Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation8.8Mar 6, 2026
• CVE-2025-65622Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.5.4Dec 1, 2025
• CVE-2025-65621Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.5.4Dec 1, 2025
• CVE-2025-64027Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_mess...6.1Nov 20, 2025
• CVE-2025-59712Snipe-IT before 8.1.18 allows XSS.6.4Sep 19, 2025
• CVE-2025-59713Snipe-IT before 8.1.18 allows unsafe deserialization.6.8Sep 19, 2025
• CVE-2025-47226Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.5.0May 2, 2025
• CVE-2024-51093Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. This can lead to privilege escalation when the pa...8.7Nov 12, 2024
• CVE-2024-48987Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's reposi...6.6Oct 11, 2024
• CVE-2024-5685Broken Function Level Authorization (BFLA) in snipe/snipe-it7.6Jun 14, 2024
• CVE-2023-5511Cross-Site Request Forgery (CSRF) in snipe/snipe-it8.8Oct 11, 2023
• CVE-2023-5452Cross-site Scripting (XSS) - Stored in snipe/snipe-it5.4Oct 6, 2023
• CVE-2022-44380Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.5.4Dec 25, 2022
• CVE-2022-44381Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.5.3Dec 25, 2022
• CVE-2022-3173Improper Authentication in snipe/snipe-it4.3Sep 17, 2022